UFW Blocking one instance every 6 mins...

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
User avatar
mr.travo
Level 3
Level 3
Posts: 107
Joined: Fri Aug 05, 2011 1:13 pm

UFW Blocking one instance every 6 mins...

Post by mr.travo » Mon Jun 04, 2018 9:52 pm

I have a small nextcloud server that I have built. It's my first time doing this, so I am learning as I go. What I am working with:

Rock64 SBC w/ 4GB RAM, 64GB eMMC, 1TB USB 3 HDD, on Ubuntu headless 16.04 Armbian.

I am getting this UFW block every 5-7 mins in my /var/log/syslog. I am needing some help figuring out where it is coming from and what it is.

Code: Select all

Jun  4 20:46:35 localhost kernel: [622159.443167] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:48:40 localhost kernel: [622284.887920] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:50:46 localhost kernel: [622410.332657] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:52:51 localhost kernel: [622535.777455] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:54:57 localhost kernel: [622661.222251] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:57:02 localhost kernel: [622786.667053] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:59:08 localhost kernel: [622912.111844] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:01:13 localhost kernel: [623037.556645] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:03:18 localhost kernel: [623163.001466] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:05:24 localhost kernel: [623288.446238] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:07:29 localhost kernel: [623413.891068] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:09:35 localhost kernel: [623539.335871] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:11:40 localhost kernel: [623664.780690] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:13:46 localhost kernel: [623790.225477] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:15:51 localhost kernel: [623915.670290] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:17:57 localhost kernel: [624041.115067] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:20:02 localhost kernel: [624166.559919] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:22:07 localhost kernel: [624292.004706] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:24:13 localhost kernel: [624417.449474] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
The last half of the MAC is my router, so I have figured that part out. I am *thinking* (very dangerous) that the first part of the MAC is some multicast? I haven't quite wrapped my head about what a mulicast is. I am *thinking* it's something similar to a cron job. Outside of that, I am at a loss figuring out the rest.

So, it would be great to figure out what everything else means. I read that TTL stands for Time To Live and it gets kind of murky after that. I am putting money on SRC= source IP and DST= destination IP.

TOS could be Terms of Service and PREC is what I have called others in the past when they tick me off, and lastly, DF PROTO could be some crappy attempt at teaching me French. LOL! That's my best guess guys!

Thanks for the help,

~T
-Travo

"Sometimes i'm not the sharpest shed in the drawer"

User avatar
mr.travo
Level 3
Level 3
Posts: 107
Joined: Fri Aug 05, 2011 1:13 pm

Re: UFW Blocking one instance every 6 mins...

Post by mr.travo » Wed Jun 06, 2018 6:12 am

After 2 days of reading and searching I have come to find out that it is a multicast request from my router. I couldn't find a way to disable it from there so I denied it through UFW with:

Code: Select all

sudo ufw deny to 224.0.0.1
So far it looks like it did the trick. It shouldn't be reporting in the ufw.log either... I just hope that it doesn't cover up something that could later be threatening.

~T
-Travo

"Sometimes i'm not the sharpest shed in the drawer"

Post Reply

Return to “Other networking topics”