Except dns ntp doh dot block all udp
How can i do it
Block http/3 see no web page?
What result are you expecting? Like no torrent? No games?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Simply just set the input, output and forward for the zone to reject. And config rules that allow the traffic you want.
Also remove the general forward lan to wan, and replace it with a more defined rule as you wished!
But do the rules first before setting the zone to reject.
And don’t forget the dhcp, icmp, igmp rules also.
What are you trying to achieve by blocking all UDP?
Better privacy better security
Please elaborate on this, because disconnecting your router would also give you "better privacy better security", but I suppose this isn't what you had in mind.
Also note that QUIC and WireGuard use UDP as the underlying transport, so your UDP blocking strategy will break these connections. Ironically, both of these protocols were designed to be used with encryption from the very beginning, which helps with "better privacy better security".
I think it would be rational to just use AdBlock or similar and maybe also BanIP to stop the traffic you seem to think about.
Because that is pretty much the only meaningful “security and privacy” you will find in the udp world.
You realize that DNS (and -as mentioned- many other basic protocols) uses UDP?
Yes, you can do.
Yes, it's somewhere between insane and plain stupid to do.
Blocking UDP will not improve your privacy or security unless there are specific things that you are aiming to lock down -- and if that's the case, you should be crafting more granular rules and not some blanket UDP block.
There are three reasons I say this:
- You'll likely break a lot of things by blocking UDP. For example, if you utilize any voice/video chat platforms over your internet connection (including wifi calling from your mobile phone and VoIP), it will stop working.
- If you believe that there is something inherently insecure about UDP, and then by extension that TCP is secure, you need to re-evaluate this assumption. These are the underlying protocols upon which other protocols operate, and the security measures that exist (such as encryption and authentication) require all the layers below to work. Think of UDP and TCP as if they are a door, and then higher level protocols like say ssh or https as the locks (it's far more complicated and nuanced, but silly and simple analogy). Without the locks, yes, the door isn't secure. But without the door, the lock cannot be installed.
- In terms of security/privacy vulnerabilities in the wild, TCP is also commonly used. TCP and UDP are simply two different transport protocols that move data through networks; there's no reason that one is more or less secure, or that either one couldn't be used for nefarious purposes.
You need to define your specific threat vectors if you wish to actually improve said security/privacy (and I'm going to go out on a limb here and guess that your computers and phones and such are more vulnerable than your router, and that you've misunderstood how a router plays into the security story of your network).
Who gave you that answer? Seems like AI/LLM?
I'm sorry to say, but that is what is known in the AI industry as a hallucination.
- If someone asks a question on the forum and you do not know the answer, DO NOT turn to any generative AI or LLM instance, ask the question, and post the output as an answer - attributed or otherwise.
It's far better that the forum is populated with posts from knowledgable subject matter experts rather than unattributable, unproven content from LLMs which will then feed back via web scraping into the LLMs again, potentially compounding a wrong answer many times over.
Ok but llama said that tcp is more secure i have even tested with other models which i am running on my server like deepseek v2
Actually i have a server with 16gb ram so i cant run larger models. so i have to use 3rd party host.
Here i have used meta.ai .
Congratulations, llama uses UDP based HTTP/3 itself. Whatcha gonna do....
that is a large language model / AI. It is not authoritative and is frankly just wrong.
If you are putting your trust in AI/LLM agents, feel free to do so at your own peril. But if you're going to do that, there is absolutely no reason for you to be asking questions on this forum since this place is staffed by volunteer humans who actually know what they're talking about -- clearly something you don't seem to believe.
I am testing if i can make my home router more secure so i have done all what i know so far.
And then i asked duck.ai
Which runs a meta llama 3.1 70b and also double checked with other models like deepseek v2 16b from my server and gemma and phi 3.5 and combined all.
Here is a list i have used.
Learn to make screenshots and copy texts. It was habitual before advance of IA
For the last time, do not post LLM results here, and don't even reference them. They are not reliable sources of information.
If you don't believe us, please stop coming to this forum.
And if you continue to post LLM responses and refuse to trust our answers, I will make it easier for you by suspending your account.
Because i dont have much knowledge about the router security so i have ai now before ai i use to search reddit and other forum and internet for same answer.
But I don't have faith though that os why i always verify with other models.
And also make a post here so verify i what i have done is enough or i need to do something else
No interactive chatbot, no youtube generated distraction
Follow simple checklist, on the computer, like your great-grandfather did. Its easy.