2

I've done some digging but haven't been able to find something that explains below message I found in dmesg? It's obvious the UFW firewall is blocking something, but I am not having any success in tracking down what is causing it.

[1170462.231472] [UFW BLOCK] IN=ens3 OUT= MAC=01:00:5e:00:00:01:d8:d5:b9:00:68:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

Any pointers on where to look would be appreciated.

Improve this question
5
  • It's an incoming packet that gets dropped. Isn't the message fairly clear?
    – vidarlo
    Commented Nov 19, 2023 at 0:19
  • its a pollution issue, I don't think hes asking what it is. why is UFW polluting the ring buffer? the question has been asked before, but I don't see a great solution yet. Turn logging off isn't great. greping out UFW isnt great, turning off the firewall isnt great.
    – j0h
    Commented Nov 19, 2023 at 0:28
  • These are likely IGMP (network discovery) multicast packets - see for example UFW blocking connection every minute at home
    – steeldriver
    Commented Nov 19, 2023 at 0:36
  • "You can prevent the ufw entries from being logged to /var/log/kern.log (to remove duplication) by uncommenting the line in /etc/rsyslog.d/20-ufw.conf that contains & ~." or rather, change: "#& stop" to: "& ~" this way, you can have logging on, and not get the ufw flood in dmesg. askubuntu.com/questions/10836/…
    – j0h
    Commented Nov 19, 2023 at 1:18
  • 224.0.0.1 is a multicast address ... Part of every network and packets sent to it are forwarded to all hosts and those capable of multicast should reply but some choose to not reply and drop those packets instead for security reasons to limit host discovery ... It might be worth noting that this address should not be route-able so shouldn't pose a threat from outside the network.
    – Raffa
    Commented Nov 19, 2023 at 7:48

1 Answer 1

Reset to default
3

What you are seeing IGMP Multicast discovery packets. This happens when you have IoT devices around your home or discoverable network devices.

By default, UFW enables logging. To stop logging these notices, just do sudo ufw logging off. This logging is normal to see everywhere, and unfortunately so are multicast packets. There's nothing to "hunt down" for packet sources. Smart TVs, Smart Ovens, Google HOME / Alexa devices, etc. are all causes for multicast "noise" (as is Avahi on your own system if enabled), so there's not really anything necessarily concerning here if you have any kind of IoT device on your network.

Obligatory notice though: by disabling logging you might miss actual attacks on machines via others in your network. Disabling logging prevents this data from being found.

Improve this answer
3
  • Hi Thomas. Thanks for the advice. I have a number of IoT devices, and this particular VM doesn't do anything particularly important, so I've turned logging off as you suggested.
    – GregoInc
    Commented Nov 19, 2023 at 2:06
  • 1
    Turning off firewall logging is a very broad action that will hide any malicious traffic beyond IGMP. It would be good to highlight this in the answer.
    – RichVel
    Commented Nov 19, 2023 at 8:24
  • 1
    @RichVel I have added that hut I will maoe a note that for the average user they dont usually monitor UFW logs anyways. Malicious traffic sighting also requires you to know what is malicious or not which is its own knowledgeset average users won't have.
    – Thomas Ward
    Commented Nov 19, 2023 at 17:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .