Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
litespeed_wiki:config:enable_quic [2019/03/26 18:00]
Jackson Zhang [UDP rate limiting option in CSF should be disabled] 		litespeed_wiki:config:enable_quic [2020/12/14 04:05] (current)
Eric Leu
Line 27: Line 27:
  
 If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. ​ If there is no extra firewall such as CSF, UDP 443 should be enabled by default. If CSF is used, you need to enable it at the CSF level. ​
 +ConfigServer Security & Firewall -> csf - ConfigServer Firewall -> Firewall Configuration -> IPv4 Port Settings -> UDP_IN and UDP_OUT should enable ''​443''​.
 +
 {{ :​litespeed_wiki:​config:​udp-443-csf-quic.png?​400 |}} {{ :​litespeed_wiki:​config:​udp-443-csf-quic.png?​400 |}}
  
-Also make sure that ''​UDPFLOOD''​ is set to 0.+Also make sure that ''​UDPFLOOD''​ is set to Off ''​0''​. 
 + 
 ==== Plesk ==== ==== Plesk ====
 If a firewall is activated, you need to enable UDP 443 manually. If a firewall is activated, you need to enable UDP 443 manually.
Line 50: Line 54:
 ===== How to Test UDP Incoming and Outgoing Connections ===== ===== How to Test UDP Incoming and Outgoing Connections =====
 Although you have enabled UDP on 443 on your server, it may be blocked by the data center at the route/​switch/​firewall level. To verify this, you can run the following: Although you have enabled UDP on 443 on your server, it may be blocked by the data center at the route/​switch/​firewall level. To verify this, you can run the following:
 +
 +==== Verify with NC command ====
 ==== Test Incoming ==== ==== Test Incoming ====
 To test incoming UDP connections to your server, you can run the following command from somewhere else, such as your local VM, or your other test client machine, but not within your server to be tested: ​ To test incoming UDP connections to your server, you can run the following command from somewhere else, such as your local VM, or your other test client machine, but not within your server to be tested: ​
Line 62: Line 68:
   Ncat: Version 6.40 ( http://​nmap.org/​ncat )   Ncat: Version 6.40 ( http://​nmap.org/​ncat )
   Ncat: Connected to 74.125.24.104:​443.   Ncat: Connected to 74.125.24.104:​443.
 +
 +==== Verify with TCPDUMP ====
 +Sometimes that ''​nc -vu''​ command is not enough to verify UDP 443 port unless it will return some information back
 +You can verify it with tcpdump, e.g. 
 +Run tcpdump on the website'​s server.
 +
 +  tcpdump -vv udp port 443 -X
 +  ​
 +Run nc command from any client server.
 +
 +  nc -vu YOUR_DOMAIN 443
 +
 +and you should see some output on server if there'​s any UDP port 443 traffic in and out.
  
  
Line 114: Line 133:
  
 ==== LF_SPI needs to be turned off when CSF used ==== ==== LF_SPI needs to be turned off when CSF used ====
-''​LF_SPI''​ in CSF should be turned off+''​LF_SPI''​ in CSF should be turned off (set  ​''​LF_SPI'' ​= ''​0''​).
- +
-''​LF_SPI'' ​option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default. If the server has a broken stateful connection tracking kernel then this setting can be set to to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost.+
  
 +According to CFS, ''​LF_SPI''​ option configures csf iptables as a Stateful Packet Inspection (SPI) firewall – the default (which means ''​LF_SPI''​ = ''​1''​ by default). If the server has a broken stateful connection tracking kernel then this setting can be set to 0 to configure csf iptables to be a Static firewall, though some funtionality and security will be inevitably lost.
  
 +{{ :​litespeed_wiki:​config:​litespeeed-quic-disable-spi-in-csf.png?​800 |}}
  • Admin
  • Last modified: 2019/03/26 18:00
  • by Jackson Zhang