Blocking UDP in pass-by deployment

1. Introduction

In "pass-by" deployment mode, WFilter can only block TCP traffic. To block UDP traffic, you also need to block certain UDP ports in your router or firewall.

For example:

  • 1. Tecent QQ works on udp port 8000 by default, it also can use tcp ports 80 or 443 to connect when this udp port is not available.
  • 2. When using chrome to access google/youtube sites, QUIZ(UDP port 443) is preferred. If QUIZ is not available, it will switch to normal http/https.

You're recommended to block udp ports 443-65534 in your router or firewall. Without this setting, some protocols(ie: skype, qq, bittorrent) can not be completely blocked.

2. Examples of blocking udp ports

In this topic, we will list examples to block udp ports in router or firewall. If your WFilter is working in pass-through mode, you don't need to configure this. The IMNPTF driver will block udp traffic automatically in pass-through mode, please check: How to install WFilter IMNPTF driver?

List of udp blocking examples

  1. Cisco RV042
  2. Cisco 2811

Please notice

  1. You only need to add one simple rule to block udp ports 443-65534.
  2. Blocking of these udp ports won't block your internet access, except for a few applications.
  3. If an udp port is required, for example, application A needs to use UDP port "N". You can set your blocking ports ranges as: "443 -- (N-1)", "(N+1) -- 65534".
  4. Without blocking of these udp ports, WFilter are still workable except of possible incomplete blocking of some protocols(for example: QQ, skype, Bittorrent).