26 lines
1.2 KiB
Plaintext
26 lines
1.2 KiB
Plaintext
[Definition]
|
|
failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
|
|
|
|
# ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
|
|
# still ban non-local (WAN) calls to any associated ports
|
|
ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*:).* DST=(static.ip.address.here|224\.0\.0\.*).* PROTO=(2|UDP)(\s+|.* DPT=(1900|3702|5353|5355) LEN=\d*\s+)$
|
|
|
|
|
|
# NOTES:
|
|
# Routers will often send packets to the multicast broadcast address (224.0.0.1)
|
|
# looking for multicast devices, this is safe to ignore on the LAN
|
|
# IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will
|
|
# always match
|
|
# IPv4 private ranges are:
|
|
# 10.0.0.0/8 (10.0.0.0-10.255.255.255)
|
|
# 172.16.0.0/12 (172.16.0.0-172.31.255.255)
|
|
# 192.168.0.0/16 (192.168.0.0-192.168.255.255)
|
|
# Multicast calls are done over UDP Ports. Common ports:
|
|
# 1900 = SSDP (dlna devices, chromecast, most UPnP devices)
|
|
# 3702 = WSD (printers mostly)
|
|
# 5353 = multicast DNS (mDNS)
|
|
# 5355 = link-local multicast name resolution (LLMNR)
|
|
# Excluding these ports on the LAN prevents unwanted bans without having to
|
|
# ignore all LAN addresses in their entirety since compromised LAN systems are
|
|
# still a very common attack vector.
|