Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Where is pfSense support for HTTP/3 and QUIC protocol support?

    Scheduled Pinned Locked Moved General pfSense Questions
    91 Posts 12 Posters 26.6k Views 14 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lohphatL Offline
      lohphat @mer
      last edited by

      @mer It's not the data payload only, it's the headers so that you can garner at least some minimal info about what's going on, e.g. the FQDN may be exposed if SNI extension is used in TCP where in QUIC it is not.

      SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        mer @lohphat
        last edited by

        @lohphat that is all part of the payload when you start from the original packet. Look at a UDP packet, say on ethernet. So you have 1560 bytes to start with, you have ethernet header, you have IP header that says "this is UDP", then you have UDP header then you have UDP payload. Everthing in the QUIC packet is in the UDP payload so the "Headers in the QUIC protocol" are part of the UDP payload and if that is all encrypted, then yes, you can't see anything past the UDP headers, which give you at most "destination".

        lohphatL 1 Reply Last reply Reply Quote 0
        • M Offline
          mer @michmoor
          last edited by

          @michmoor said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

          Overall, NGFW firewalls will always have a hard time if the payload is encrypted. Doesnt matter the vendor at all.

          Agreed. It seems as the primary requirement of a "NGFW" is "packet payload inspection" which can be done if payload is not encrypted. If encrypted, the NGFW would need to know the keys, decrypt the payload, make a decision. Lots of CPU there, not to mention capturing the keys is a nontrivial task.

          M 1 Reply Last reply Reply Quote 1
          • lohphatL Offline
            lohphat @mer
            last edited by

            @mer said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

            @lohphat that is all part of the payload when you start from the original packet.

            Before UDP is used for "traditional" encrypted payloads there's a session setup, THAT is what a session-based f/w can log and track. Once the crypto is established then all bets are off.

            It's the INITIAL headers and handshakes which have been used for traditional session logging, but since QUIC does all the crypto in the initial handshake, there's even less information to latch onto.

            This is the point, with QUIC there's less information to garner clues as to what's going on. It's CURRENTLY used for web traffic mostly -- but there's nothing stopping it from completely replacing TCP for ANY protocol as it gains traction.

            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @lohphat
              last edited by

              @lohphat still at a loss to how pfsense is behind?

              Or what support you think pfsense should add, you want the web gui via quic? Cuz I doubt overnight pfsense is going to become a ngfw with support for quic ;)

              Since has never been a ngfw in the first place.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              lohphatL 1 Reply Last reply Reply Quote 1
              • M Offline
                michmoor LAYER 8 Rebel Alliance @mer
                last edited by

                @mer Yep which is why i think most would agree focusing on the endpoint through some type of software installed is the best way to go. I know my company uses Sophos endpoint agent along with FireEye's on the laptops. The sophos client is what is doing the URL control and application filtering. Even though Palos are used all over the environment and its a NGFW, its not at all feasible to do this type of control on the firewall. Defense in depth.

                But to stress, to a certain degree, if we are going to expand the definition of a NGFW than you can argue to some degree, that pfsense is that - it is, after all, a UTM. But everyone has there own definition of NGFW.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                johnpozJ 1 Reply Last reply Reply Quote 1
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @michmoor
                  last edited by johnpoz

                  @michmoor said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                  has there own definition of NGFW.

                  True - but without any packages is just a traditional stateful firewall providing inbound and outbound inspection of the state, etc.

                  While it can do say ips/ids with the addition of a package.. What those packages might do with quic would be up to those packages, and not really pfsense.

                  UTM is another term.. again if I throw IPS package on it I can now call it my NGFW UTM ;) which all just words without meaning without understanding context..

                  Still what exactly does OP feel should happen here.. If your curious what the IPS packages are going to do with quic, that they haven't already done in the last 10 years. Should prob ask @bmeeks

                  But to me this thread doesn't make much sense - unless your just asking for the web gui to be served up via quic? There is nothing for the pfsense the traditional stateful firewall it is to do to "keep up" or not "fall behind"..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  M 1 Reply Last reply Reply Quote 2
                  • M Offline
                    michmoor LAYER 8 Rebel Alliance @johnpoz
                    last edited by

                    @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                    But to me this thread doesn't make much sense

                    yep and this is not to belittle the OP but first and foremost as the original question was confusing.
                    At the end of the day, the majority of communications on a network are going to rely on ports. Allow or Block ports as required. The payload is irrelevant if it's encrypted and if it's not encrypted then you have IDPS systems that will scan the payload and work on defending your network.

                    I think we can all see how UTM or NGFW or whatever term comes next, its really the marketing teams who have won this and confused us all :)

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                      OP is asking for http/3 quic support in pfsense - for what? Serving up the web gui? There is nothing pfsense can do now that gets removed with quic udp over whatever port..

                      Yes, this. I could imagine it makes Squid more obsolete. That's about all.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @stephenw10
                        last edited by

                        @stephenw10 said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                        it makes Squid more obsolete

                        heheh - yeah true, but squid has be obsolete for what 10 years anyway..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Largely, yes. And encrypted SNI will only make it more so.

                          It still has a place in some specialist deployments. And in those you can just block udp 443.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • lohphatL Offline
                            lohphat @johnpoz
                            last edited by

                            @johnpoz I was not expecting much other than to start a dialog as the reality is the f/w world had to adapt (note I didn't say "adopt") to the new reality.

                            This has been in motion for a decade and just was ratified and an increasing number of content providers are using it.

                            I didn't know if QUIC was on the roadmap or not and given that Wireshark is STILL evolving to handle it (other than just dump the raw data) to perhaps build a stream/session table to show the "sessions" in progress.

                            My expectations for pfSense would be to provide a little diagnostic data in terms of percentage of traffic it's using, the destination hosts, and any stream/session tabular data which is in the unencrypted part of the header.

                            By definition, the majority of the header is encrypted not just the payload so I wasn't expecting much. However, pfSense is also known as an IDP/IPS platform with the addition of several packages.

                            So if there could at the very minimum get some summary traffic and percentage of traffic, perhaps as another item on the traffic graphs, that would be helpful.

                            Again, I didn't know if there were any plans, so I simply asked the question to get a baseline of where we are.

                            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @lohphat
                              last edited by

                              @lohphat any of that stuff would have to come from packages would be my take.

                              So again I would tag @bmeeks to throw in his take - he is the ips/ids guy to be sure.

                              To be honest most everything becoming encrypted, not something new with quic - ips and ids is becoming less and less if you want my take on it.

                              Not much ips/ids can do from an encryption tunnel - there isn't much to look at to see if something bad is happening inside that tunnel.

                              Not much the ips/ids can tell from just looking at packets without the payload..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              lohphatL 1 Reply Last reply Reply Quote 0
                              • lohphatL Offline
                                lohphat @johnpoz
                                last edited by

                                @johnpoz said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                Not much the ips/ids can tell from just looking at packets without the payload..

                                You'd be surprised. Certain applications have a pattern of behavior which can be deduced by the size and frequency of transmissions. It's a bit of alchemy but there are trends which can be triggers on their own.

                                SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                1 Reply Last reply Reply Quote 0
                                • bmeeksB Offline
                                  bmeeks
                                  last edited by bmeeks

                                  There is essentially zero chance that Snort 2.9.x (currently what is used on pfSense) will get HTTP/3 or QUIC support. The 2.9.x branch is not getting any new features from upstream. Everything is going into Snort3.

                                  Suricata does have an open Feature Request for incorporating QUIC app-layer support, but nothing has been settled there yet. Here is the link to the latest iteration of the long discussion: https://github.com/OISF/suricata/pull/7095. But this really does not mean much as Suricata could only detect that QUIC was passing, it would not be able to see anything in it. So not really very useful IMHO. I am unaware of anything happening in Suricata with regards to HTTP/3.

                                  As @johnpoz alluded to, IDS/IPS is getting increasingly harder as more and more network traffic gets encrypted. Pretty soon nothing will be visible at the network layer except very basic source/destination info. Any IDS/IPS will have to move to the endpoints (servers, workstations, mobile devices, etc.).

                                  M 1 Reply Last reply Reply Quote 3
                                  • M Offline
                                    michmoor LAYER 8 Rebel Alliance @bmeeks
                                    last edited by

                                    @bmeeks said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                    ny IDS/IPS will have to move to the endpoints (servers, workstations, mobile devices, etc.).

                                    spot on and exactly as i stated in the previous post..
                                    The way I see it, its like adding ClamAV. Belts and Suspenders to your overall security footprint. Doesn't hurt to have it enabled but to be clear it has little to no impact on defending you at the perimiter. Most of the work is/should be taking place on the endpoint.

                                    Ah well, so the debate rages on....

                                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                    Routing: Juniper, Arista, Cisco
                                    Switching: Juniper, Arista, Cisco
                                    Wireless: Unifi, Aruba IAP
                                    JNCIP,CCNP Enterprise

                                    1 Reply Last reply Reply Quote 0
                                    • E Offline
                                      emikaadeo
                                      last edited by

                                      Hi,
                                      just a quick question. DNS over QUIC support is coming to Unbound.
                                      There's a chance it will be in the upcoming 1.16.3 release. Does Netgate plans to support this via GUI?

                                      1 Reply Last reply Reply Quote 0
                                      • lohphatL Offline
                                        lohphat @netblues
                                        last edited by lohphat

                                        @netblues Well, I'm trying to be pragmatic.

                                        A f/w's job is to monitor and control traffic. Given that QUIC makes inspection a moot point what the f/w CAN do is help control where those packets come from.

                                        e.g. The DoH settings in pfBLocker-devel to permit DNS over HTTP is a good example of how to control a type of traffic. A list of well known sites from which the f/w admin can select to permit/block traffic.

                                        Since QUIC's strength is with streaming/complex websites, I think a page for QUIC which allows to admin to permit QUIC traffic from well known sources would be a reasonable first step. e.g. Google/YouTube, Facebook, Amazon, (and their CDNs).

                                        Let the 80/20 rule stand and let the protocol do its magic where needed but force fallback to TCP for unknown/all other sites.

                                        Yes, this can be done in the f/w ruleset page, but making a dedicated QUIC UI control page would be much friendlier. Perhaps this is a job for a package, but IMHO it's a low-level protocol issue and should be handled by pfSense.

                                        SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                        johnpozJ M 2 Replies Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator @lohphat
                                          last edited by

                                          @lohphat said in Where is pfSense support for HTTP/3 and QUIC protocol support?:

                                          but IMHO it's a low-level protocol issue and should be handled by pfSense.

                                          Well the same could be said for any cloud provider using 443 currently over tcp. So you want a feature to put in what CDNs are allowed for rules you create.

                                          So in general if i create a rule - you want a drop down list to only allow to specific CDN ASNs that can be picked from a drop down.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          lohphatL 1 Reply Last reply Reply Quote 0
                                          • lohphatL Offline
                                            lohphat @johnpoz
                                            last edited by

                                            @johnpoz Perhaps.

                                            I've just started digging into QUIC and logging accesses so I need to be smarter about the scope of the requests. e.g. Is the QUIC request going to the FQDN of the content source (e.g. YouTube) or the CDN? If it's the CDN then was there an initial QUIC request to the FQDN, then a session ID created then subsequent QUIC requests go to the CDN? I don't know yet. I'm acknowledging my ignorance thus the reason I posted my question in the first place.

                                            How would pfSense enumerate the CDN ASNs unless it were running BGP?

                                            SG-3100 25.07.1-RELEASE (arm) | Avahi (2.2_7) | ntopng (6.2.0) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.10) | System_Patches (2.2.23)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.