I often see only-tcp or only-udp allowed in firewalls for certain protocols that work best with both. We have to continue to keep our eyes on the industry to see where things are going so we can be most efficient. Below are some examples, listed with the primary/traditional protocol, then the reason why the other one should also be allowed. In many cases, things will work without allowing the "secondary" protocol, but their efficiency may be hampered.
- https (tcp/443) - Since its inception, https has been a tcp protocol. However, in recent years, and especially with the advent of HTTP/3, allowing only tcp is not good enough. Even before HTTP/3, DTLS has made a tcp-only stance not good enough in regards to https.
- dns (udp/53) - The intro to RFC 7766 says it perfectly: Most DNS transactions take place over UDP. TCP is always used for full zone transfers (using AXFR) and is often used for messages whose sizes exceed the DNS protocol's original 512-byte limit. The growing deployment of DNS Security (DNSSEC) and IPv6 has increased response sizes and therefore the use of TCP. I have seen situations where AWS responds with data longer than 512 bytes, and it's not uncommon to find TXT records (e.g., for SPF) to exceed that length as well.
- rdp (tcp/3389) - Microsoft's Remote Desktop Protocol works better if both tcp and udp are allowed. It has supported udp since version 8.0 and it creates a smoother experience.
- ldap (tcp/389) - Microsoft is now starting to use ldap over udp in certain scenarios.
There are surely a lot more, and the list will surely grow, but I just thought I'd comment on a few...
