24 lines
1.0 KiB
Plaintext
24 lines
1.0 KiB
Plaintext
[Definition]
|
|
failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
|
|
|
|
# ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
|
|
# still ban non-local (WAN) calls to any associated ports
|
|
ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s\s$
|
|
|
|
|
|
# NOTES:
|
|
# IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will
|
|
# always match
|
|
# IPv4 private ranges are:
|
|
# 10.0.0.0/8 (10.0.0.0-10.255.255.255)
|
|
# 172.16.0.0/12 (172.16.0.0-172.31.255.255)
|
|
# 192.168.0.0/16 (192.168.0.0-192.168.255.255)
|
|
# Multicast calls are done over UDP Ports. Common ports:
|
|
# 1900 = SSDP (dlna devices, chromecast, most UPnP devices)
|
|
# 3702 = WSD (printers mostly)
|
|
# 5353 = multicast DNS (mDNS)
|
|
# 5355 = link-local multicast name resolution (LLMNR)
|
|
# Excluding these ports on the LAN prevents unwanted bans without having to
|
|
# ignore all LAN addresses in their entirety since compromised LAN systems are
|
|
# still a very common attack vector.
|