From aaab4e5eff1646c5a70348095ac19d336ac9ebc0 Mon Sep 17 00:00:00 2001
From: Asif Bacchus <asif@noreply.asifbacchus.app>
Date: Tue, 14 Jan 2020 06:39:02 +0000
Subject: [PATCH] ignore router multicast packets on LAN

---
 etc/fail2ban/filter.d/ufw-probe.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/etc/fail2ban/filter.d/ufw-probe.conf b/etc/fail2ban/filter.d/ufw-probe.conf
index 33404b9..f914dd7 100644
--- a/etc/fail2ban/filter.d/ufw-probe.conf
+++ b/etc/fail2ban/filter.d/ufw-probe.conf
@@ -3,10 +3,13 @@ failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
 
 # ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
 # still ban non-local (WAN) calls to any associated ports
-ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s\s$
+ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.).* DST=224\.0\.0.* DF PROTO=2\s+$
+              SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* DST=.* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s+$
 
 
 # NOTES:
+# Routers will often send packets to the multicast broadcast address (224.0.0.1)
+# looking for multicast devices, this is safe to ignore on the LAN
 # IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will
 # always match
 # IPv4 private ranges are: