Linux Mint Forums

When using UFW (the default firewall for all Linux Mint editions except for LMDE) your /var/log/syslog can quickly fill up with useless firewall messages such as the following (this is one line, but wrapped in output here):

Sep 2 21:42:47 machine kernel: [45908.536890] [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=40487 PROTO=2

On my machine this is logged every two minutes, making it harder to find messages of actual importance in the syslog. The clue of this message is highlighted in red; it is just your router trying to discover what machines on the network support multicast (see Wikipedia).

It is harmless traffic, but if you prefer to keep your syslog clear of this you can do so by adding a rule to UFW: This is only useful if you have enabled UFW. You can check the status of UFW: It should report similar as below highlighted in red:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action From
-- ------ ----
224.0.0.1 DENY IN Anywhere

Tanks for the tip Zenopeek. Rule added to firewall.

Hi xenopeek,
in my logs, I see that ufw blocks wifi traffic with destination DST=224.0.0.251.
If I'm not mistaken, this is also a multicast address.
Also I stumbled upon this arch wiki thread : https://bbs.archlinux.org/viewtopic.php?id=212452 that says (at the end) that it would be better to allow that multicast traffic rather than deny it.
So here are my questions :
- if I want to cover the whole address range 224.0.0.0 to 224.0.0.255 I should use the expression 224.0.0.0/24 right ?
(I try to follow https://en.wikipedia.org/wiki/Classless ... IDR_blocks but I'm not perfectly sure)
- so if I want to allow multicast from the router, I should go with right ?
- what's your take on allowing vs denying ?
- I see that the router is not the only device multicasting. Should I allow (or deny) anything multicasting on the LAN ?
e.g. with (where, if I'm correct, 192.168.1.0/26 stands for anything in the range 192.168.1.0 to 192.168.1.63)

Better yet (for approximately 99.9 % of the Mint users): Fire and forget; just nuke all UFW logging. Been doing this on all of my Mint installations for the past year or so. I never did read anything of those spammy UFW logs anyway. Good riddance to something which is bad rubbish for roughly 99.9 % of all Mint users.

Indeed it's probably okay for laptops and single-user desktops.
I also have a small server, where I want to keep logging legitimate ufw blocks.
Digging a bit, I found this interesting : https://askubuntu.com/questions/10836/i ... t-of-dmesg
so it is possible to prevent ufw from logging to /var/log/kern.log , but it does not work for dmesg.
For dmesg you can grep -v UFW.

I have in the gufw setting "logging low level"
And my UFW collects only opening of the gufw
More seriously

... it is possible to prevent ufw from logging to /var/log/kern.log , but it does not work for dmesg.

It looks like a bug.

Even if it always will work, this will not prevent you from spam in dmesg.
For more advanced stuff, I recommend playing with iptables.
Maybe someone will give example ready firewall with explanations of what and how works?
And with script to test this rules with firewall in practice?

Maybe will work with Maybe