UFW Blocking one instance every 6 mins...

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
mr.travo

UFW Blocking one instance every 6 mins...

Post by mr.travo »

I have a small nextcloud server that I have built. It's my first time doing this, so I am learning as I go. What I am working with:

Rock64 SBC w/ 4GB RAM, 64GB eMMC, 1TB USB 3 HDD, on Ubuntu headless 16.04 Armbian.

I am getting this UFW block every 5-7 mins in my /var/log/syslog. I am needing some help figuring out where it is coming from and what it is.

Code: Select all

Jun  4 20:46:35 localhost kernel: [622159.443167] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:48:40 localhost kernel: [622284.887920] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:50:46 localhost kernel: [622410.332657] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:52:51 localhost kernel: [622535.777455] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:54:57 localhost kernel: [622661.222251] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:57:02 localhost kernel: [622786.667053] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 20:59:08 localhost kernel: [622912.111844] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:01:13 localhost kernel: [623037.556645] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:03:18 localhost kernel: [623163.001466] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:05:24 localhost kernel: [623288.446238] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:07:29 localhost kernel: [623413.891068] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:09:35 localhost kernel: [623539.335871] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:11:40 localhost kernel: [623664.780690] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:13:46 localhost kernel: [623790.225477] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:15:51 localhost kernel: [623915.670290] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:17:57 localhost kernel: [624041.115067] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:20:02 localhost kernel: [624166.559919] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:22:07 localhost kernel: [624292.004706] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Jun  4 21:24:13 localhost kernel: [624417.449474] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:14:91:82:b9:9a:9c:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
The last half of the MAC is my router, so I have figured that part out. I am *thinking* (very dangerous) that the first part of the MAC is some multicast? I haven't quite wrapped my head about what a mulicast is. I am *thinking* it's something similar to a cron job. Outside of that, I am at a loss figuring out the rest.

So, it would be great to figure out what everything else means. I read that TTL stands for Time To Live and it gets kind of murky after that. I am putting money on SRC= source IP and DST= destination IP.

TOS could be Terms of Service and PREC is what I have called others in the past when they tick me off, and lastly, DF PROTO could be some crappy attempt at teaching me French. LOL! That's my best guess guys!

Thanks for the help,

~T
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
mr.travo

Re: UFW Blocking one instance every 6 mins...

Post by mr.travo »

After 2 days of reading and searching I have come to find out that it is a multicast request from my router. I couldn't find a way to disable it from there so I denied it through UFW with:

Code: Select all

sudo ufw deny to 224.0.0.1
So far it looks like it did the trick. It shouldn't be reporting in the ufw.log either... I just hope that it doesn't cover up something that could later be threatening.

~T
Locked

Return to “Networking”