ignore local network multicast device discovery
This commit is contained in:
		
							parent
							
								
									4a7deefe0c
								
							
						
					
					
						commit
						d0961917b1
					
				| @ -1,3 +1,23 @@ | |||||||
| [Definition] | [Definition] | ||||||
| failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST> | failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST> | ||||||
| ignoreregex = | 
 | ||||||
|  | # ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks | ||||||
|  | # still ban non-local (WAN) calls to any associated ports | ||||||
|  | ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s\s$ | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | # NOTES: | ||||||
|  | # IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will | ||||||
|  | # always match | ||||||
|  | # IPv4 private ranges are: | ||||||
|  | #   10.0.0.0/8 (10.0.0.0-10.255.255.255) | ||||||
|  | #   172.16.0.0/12 (172.16.0.0-172.31.255.255) | ||||||
|  | #   192.168.0.0/16 (192.168.0.0-192.168.255.255) | ||||||
|  | # Multicast calls are done over UDP Ports.  Common ports: | ||||||
|  | #   1900 = SSDP (dlna devices, chromecast, most UPnP devices) | ||||||
|  | #   3702 = WSD (printers mostly) | ||||||
|  | #   5353 = multicast DNS (mDNS) | ||||||
|  | #   5355 = link-local multicast name resolution (LLMNR) | ||||||
|  | # Excluding these ports on the LAN prevents unwanted bans without having to  | ||||||
|  | # ignore all LAN addresses in their entirety since compromised LAN systems are  | ||||||
|  | # still a very common attack vector. | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user