ignore local network multicast device discovery

etc/fail2ban/filter.d/ufw-probe.conf

@@ -1,3 +1,23 @@
 [Definition]
 failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
-ignoreregex =
+
+# ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
+# still ban non-local (WAN) calls to any associated ports
+ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s\s$
+
+
+# NOTES:
+# IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will
+# always match
+# IPv4 private ranges are:
+#   10.0.0.0/8 (10.0.0.0-10.255.255.255)
+#   172.16.0.0/12 (172.16.0.0-172.31.255.255)
+#   192.168.0.0/16 (192.168.0.0-192.168.255.255)
+# Multicast calls are done over UDP Ports.  Common ports:
+#   1900 = SSDP (dlna devices, chromecast, most UPnP devices)
+#   3702 = WSD (printers mostly)
+#   5353 = multicast DNS (mDNS)
+#   5355 = link-local multicast name resolution (LLMNR)
+# Excluding these ports on the LAN prevents unwanted bans without having to 
+# ignore all LAN addresses in their entirety since compromised LAN systems are 
+# still a very common attack vector.