Edit: Think I figured it out. I believe some of the weird log entires I was seeing was based on some some devices using QUIC while I was enabling/disabling things.
Short answer, yes, UDP 443 must be added to the 'Service' section of the firewall rule for the 'Block QUIC protocol' option to work. I think it would be worthwhile to have a check in place to see if UDP 443 (or 'Any') exists in the 'Service' section when this option is enabled. Recommendations in my second post below.
The simple answer to the question in the title appears to be no, but I'm noticing something interesting with 'Block QUIC protocol' and having the QUIC service (UDP 443) added to a firewall rule 'Service' versus not having it added. What appears to be happening is:
- If I have a firewall rule with 'Block QUIC protocol' enabled but I do not have the QUIC service (UDP 443) added to the firewall rule 'Service' section, when a client attempts to use the QUIC service, it will block as expected but then continue to traverse down the firewall rules list until it can find a firewall rule that will allow it or be blocked by the default DROP ALL rule. This is expected behavior.
- Same scenario as above except if I do have the QUIC service (UDP 443) added to the firewall rule 'Service' section and a client attempts to use the QUIC service, it still appears to still block as expected but it seems to stop there (i.e. it doesn't continue to traverse down the firewall rules list).
Here's a simplified version of my setup and how I'm seeing this:
- Firewall Rule #1: A basic LAN to WAN rule (basically the default that gets created) except the 'Source networks and devices' are a list of MAC hosts and the 'Services' is a list of services that these clients use (e.g. HTTP, HTTPS, IMAP, NTP, etc.). Block QUIC protocol is enabled. Logging is disabled.
- Firewall Rule #2: This is also a basic LAN to WAN rule except unlike the above rule, 'Source network and devices' and 'Services' are set to Any. Block QUIC protocol is enabled. Logging is enabled. The idea behind this rule is to log/catch any services that I don't have set in Firewall Rule #1.
When a client attempts to use the QUIC service, I see it being blocked in the firewall rule by Firewall Rule #2 which is what one would except in the first scenario I mentioned above. Firewall Rule #1 is blocking QUIC so it continues to look at the next firewall rule which is still blocking it but logging is enabled.
Now if I add the QUIC service to Firewall Rule #1 and a client attempts to use the QUIC service, I don't see any logging at all. This is what I don't quite understand.