[Definition]
failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>

# ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
# still ban non-local (WAN) calls to any associated ports
ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*:).* DST=(static.ip.address.here|224\.0\.0\.*).* PROTO=(2|UDP)(\s+|.* DPT=(1900|3702|5353|5355) LEN=\d*\s+)$


# NOTES:
# Routers will often send packets to the multicast broadcast address (224.0.0.1)
# looking for multicast devices, this is safe to ignore on the LAN
# IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will
# always match
# IPv4 private ranges are:
#   10.0.0.0/8 (10.0.0.0-10.255.255.255)
#   172.16.0.0/12 (172.16.0.0-172.31.255.255)
#   192.168.0.0/16 (192.168.0.0-192.168.255.255)
# Multicast calls are done over UDP Ports.  Common ports:
#   1900 = SSDP (dlna devices, chromecast, most UPnP devices)
#   3702 = WSD (printers mostly)
#   5353 = multicast DNS (mDNS)
#   5355 = link-local multicast name resolution (LLMNR)
# Excluding these ports on the LAN prevents unwanted bans without having to 
# ignore all LAN addresses in their entirety since compromised LAN systems are 
# still a very common attack vector.