Ok, I am still learning all of this so please have some understanding...

Armbian Ubuntu 16.04 headless server

I am finally getting a small grasp of what is going on in this server and am getting all the hiccups out of it. I was looking in my UFW log and I am full of :

It is blocking the request every 4 to 5 mins. How do I begin to track down what this is and put an end to it?

Thanks so much guys!

~T

Ok, so after more and more searching I have found my router MAC address in there. I am trying to figure out if the first part of the long MAC address signifies a multicast connection (still learning what that is and does). The 08:00 at the end is also throwing me for a loop. What does it stand for?

Back to DDG.....

~T

After 2 days of reading and searching I have come to find out that it is a multicast request from my router. I couldn't find a way to disable it from there so I denied it through UFW with:
So far it looks like it did the trick. It shouldn't be reporting in the ufw.log either... I just hope that it doesn't cover up something that could later be threatening.

~T

http://tldp.org/HOWTO/Multicast-HOWTO-2.html

Edge devices have to communicate.

Thank you Habitual!

I read in the link:

Is this pointing to my UFW rules not setup correctly?

Thanks,

~T

Anyone? I am just trying to get some understanding with this.... I had some more different blocks come in last night and I am trying to "decode" these so I know where to start and what action to take.

Really could use the help with this.

Thanks!

~T

Hello??? Should I be posting this some place else??? I don't understand how a couple of simple questions cannot be answered. It feels that I am searching for the Holy Grail or something. I am finding Microsoft Help (that's the kind of help that tells you what you already know) posted all over the internet. I an willing to bet that someone can teach me how to break down these messages and show me where to start looking for the problem....

I don't know the answer to your questions...
I do know that bumping your own thread every 4 hours is going to turn folks off. We're not paid staff. We're all volunteers. Patience.

i think habitual already gave you the answer?

fwiw, i've been seeing the same behaviour on my machine, always from the same address 224.0.0.1.
but i thought: "good, ufw is doing its job".

rethinking, should i maybe unblock 224.0.0.1?

1 members found this post helpful.

I wasn't trying to "bump" my thread. I was only posting up information as I was learning/finding it out. It just happened to be in a four hour block a couple of times. That was a fluke. Yes, I also am unpaid so I do realize that this is an all volunteer forum. Please don't forget that I have been searching this for over 4 days at that time. What I was asking was out of honesty- should I be posting these questions elsewhere? I wasn't trying to upset anyone.


Ondoho- If you click on the link and read it, it doesn't answer any questions I had about where this was coming from and what it is for. He also said that "Edge devices need to communicate." What does that mean? What's an "edge device"? These may be helpful to those who have a little more knowledge than I do, but at my level it made the water even murkier. All I am doing is trying to understand this as well. I am not trying to be a jerk or anything but after days of searching, it gets frustrating. I don't have a "vast" amount of Linux knowledge, but what I do have, I pass along. I am the type that DOES do his homework before posting up. I am not perfect, but I do read and learn as much as I can before I post up. Sometimes it makes more sense when someone else can put an article into words that make more sense.

Back to the topic-

I know this UFW layout is pretty "standard". I am understanding basically what it's saying, but I am having a hard time tracking down the offending address and how to tell what it's trying to do (other than connect).

Thanks

~T

oh yes it does - at least partly (and you don't need the complete answer garnished & handed to you on a plate, do you?):

Well, I am just not seeing it. Like I stated, to someone else with a little bit more knowledge in this subject, it may make perfect sense. I guess I just don't posses enough knowledge yet to understand the statement.

So, if I ping 224.0.0.1, all multicast capable hosts on the network should answer....

Ok:
I'm not trying to be a smarta&^, I am just trying to figure all of this out. As stated from post #1:

I am seeking the knowledge. I am not sitting on my duff expecting everything hand delivered to me. I have gone round and round searching on this subject for days and am still confused.

I hope this gives you some more understand as to where I am at.

Thanks,

~T

https://en.wikipedia.org/wiki/Border_Gateway_Protocol

This 224.0.0.1 "noise" (Multicast) drove me C.R.A.Z.Y. for "a minute".
From what I read, it is just "noise" and I no longer worry about it.

I sleep better.

Blocking 224.0.0.1/24 could cause failures in communication from edge devices like routers and/or gateways.

I appreciate the info but honestly it doesn't answer what this is and where it's coming from. I am NOT trying to be difficult at all, I am just striving to understand the network side of the house. Blocking this might help you out but for me blocking unknowns keep me up at night, LOL! That's why I try to keep it as a "last resort".

I know that these UFW block notices are displayed in a pretty consistent output. With my example, how can I tell WHICH multicast service is trying to connect and what is it trying to perform (other than a connection)? I am wanting to learn this so I can continue to diag other UFW blocks. It's the simple "teach a man to fish" philosophy.

Thanks Habitual, I appreciate your help!

~T

but do i need to tell ufw explicitely to UNblock it?
i'm seeing output very similar to that of op, so i assume ufw is blocking 224.0.0.1, though i never told it to do so explicitely.
everything is working though afaics...