Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Rep:
UFW blocking same MAC address....
Ok, I am still learning all of this so please have some understanding...
Armbian Ubuntu 16.04 headless server
I am finally getting a small grasp of what is going on in this server and am getting all the hiccups out of it. I was looking in my UFW log and I am full of :
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
Ok, so after more and more searching I have found my router MAC address in there. I am trying to figure out if the first part of the long MAC address signifies a multicast connection (still learning what that is and does). The 08:00 at the end is also throwing me for a loop. What does it stand for?
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
After 2 days of reading and searching I have come to find out that it is a multicast request from my router. I couldn't find a way to disable it from there so I denied it through UFW with:
Code:
sudo ufw deny to 224.0.0.1
So far it looks like it did the trick. It shouldn't be reporting in the ufw.log either... I just hope that it doesn't cover up something that could later be threatening.
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
Thank you Habitual!
I read in the link:
Quote:
it should be obvious that multicast traffic is handled at the transport layer with UDP, as TCP provides point-to-point connections, not feasible for multicast traffic.
Is this pointing to my UFW rules not setup correctly?
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
Anyone? I am just trying to get some understanding with this.... I had some more different blocks come in last night and I am trying to "decode" these so I know where to start and what action to take.
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
Hello??? Should I be posting this some place else??? I don't understand how a couple of simple questions cannot be answered. It feels that I am searching for the Holy Grail or something. I am finding Microsoft Help (that's the kind of help that tells you what you already know) posted all over the internet. I an willing to bet that someone can teach me how to break down these messages and show me where to start looking for the problem....
I don't know the answer to your questions...
I do know that bumping your own thread every 4 hours is going to turn folks off. We're not paid staff. We're all volunteers. Patience.
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
Quote:
Originally Posted by scasey
I don't know the answer to your questions...
I do know that bumping your own thread every 4 hours is going to turn folks off. We're not paid staff. We're all volunteers. Patience.
I wasn't trying to "bump" my thread. I was only posting up information as I was learning/finding it out. It just happened to be in a four hour block a couple of times. That was a fluke. Yes, I also am unpaid so I do realize that this is an all volunteer forum. Please don't forget that I have been searching this for over 4 days at that time. What I was asking was out of honesty- should I be posting these questions elsewhere? I wasn't trying to upset anyone.
Ondoho- If you click on the link and read it, it doesn't answer any questions I had about where this was coming from and what it is for. He also said that "Edge devices need to communicate." What does that mean? What's an "edge device"? These may be helpful to those who have a little more knowledge than I do, but at my level it made the water even murkier. All I am doing is trying to understand this as well. I am not trying to be a jerk or anything but after days of searching, it gets frustrating. I don't have a "vast" amount of Linux knowledge, but what I do have, I pass along. I am the type that DOES do his homework before posting up. I am not perfect, but I do read and learn as much as I can before I post up. Sometimes it makes more sense when someone else can put an article into words that make more sense.
Back to the topic-
I know this UFW layout is pretty "standard". I am understanding basically what it's saying, but I am having a hard time tracking down the offending address and how to tell what it's trying to do (other than connect).
Ondoho- If you click on the link and read it, it doesn't answer any questions I had about where this was coming from and what it is for.
oh yes it does - at least partly (and you don't need the complete answer garnished & handed to you on a plate, do you?):
Quote:
224.0.0.1 is the all-hosts group. If you ping that group, all multicast capable hosts on the network should answer, as every multicast capable host must join that group at start-up on all it's multicast capable interfaces.
Distribution: Mint 18.3 Cinnamon, Gallium, Ubuntu Armbian (headless), Arch (learning)
Posts: 138
Original Poster
Rep:
Quote:
Originally Posted by ondoho
oh yes it does - at least partly (and you don't need the complete answer garnished & handed to you on a plate, do you?):
Well, I am just not seeing it. Like I stated, to someone else with a little bit more knowledge in this subject, it may make perfect sense. I guess I just don't posses enough knowledge yet to understand the statement.
So, if I ping 224.0.0.1, all multicast capable hosts on the network should answer....
I'm not trying to be a smarta&^, I am just trying to figure all of this out. As stated from post #1:
Quote:
Ok, I am still learning all of this so please have some understanding...
I am seeking the knowledge. I am not sitting on my duff expecting everything hand delivered to me. I have gone round and round searching on this subject for days and am still confused.
I hope this gives you some more understand as to where I am at.
This 224.0.0.1 "noise" (Multicast) drove me C.R.A.Z.Y. for "a minute".
From what I read, it is just "noise" and I no longer worry about it.
I sleep better.
Blocking 224.0.0.1/24 could cause failures in communication from edge devices like routers and/or gateways.
I appreciate the info but honestly it doesn't answer what this is and where it's coming from. I am NOT trying to be difficult at all, I am just striving to understand the network side of the house. Blocking this might help you out but for me blocking unknowns keep me up at night, LOL! That's why I try to keep it as a "last resort".
I know that these UFW block notices are displayed in a pretty consistent output. With my example, how can I tell WHICH multicast service is trying to connect and what is it trying to perform (other than a connection)? I am wanting to learn this so I can continue to diag other UFW blocks. It's the simple "teach a man to fish" philosophy.
Blocking 224.0.0.1/24 could cause failures in communication from edge devices like routers and/or gateways.
but do i need to tell ufw explicitely to UNblock it?
i'm seeing output very similar to that of op, so i assume ufw is blocking 224.0.0.1, though i never told it to do so explicitely.
Code:
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
(... i don't want to show the rest ...)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.