As QUIC works over UDP and not TCP, connections over QUIC bypass the proxy. Blocking this traffic will make the connection fall back to TCP, ensuring that all web traffic traverses through the proxy and filtering cannot be bypassed.
Two approaches can be taken to solve this issue.
- Blocking outbound traffic on UDP ports
443on your firewall:
It is recommended that outbound UDP traffic on ports
443 is blocked. This means that the request will fail back to TCP and will be redirected to the proxy. If your firewall is the Smoothwall, go to Network > Outgoing > Ports on the administration user interface:
- Add UDP ports
443to the Reject all port rule
For a detailed description of how to do this, see https://help.smoothwall.net/Hearst/Content/ui/rule/portrules.htm or https://help.smoothwall.net/Inverness/Content/ui/admin/ipfilter/forward.htm.
- Create a Decrypt and inspect policy for Everything (Guardian > HTTPS inspection > Policy wizard in the Smoothwall administration user interface page) — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/https.htm.
- Create a content modification policy in Guardian > Content modification > Policy wizard, with the following:
- Who — Everyone
- What — Everything
- Where — Everywhere
- Action — Apply; Remove QUIC header
For a detailed description of how to do this, go to https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/contentmod.htm.
|Last updated:||Author:||Contributions by:|
|24th October 2016||Tanja Ehrhardt||Samantha Nair|