Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: 224.0.0.1 in ufw logs

  1. #1
    Join Date
    Aug 2009
    Beans
    11

    224.0.0.1 in ufw logs

    I have a bare bones ubuntu oneiric installation running on a virtual server.

    I have disabled ipv6 and implemented some security measures in sysctl.conf:

    /etc/sysctl.conf

    Code:
    # Kernel options 
    kernel.printk = 3 4 1 3  
    
    # Disable Ping 
    net.ipv4.icmp_echo_ignore_all = 1  
    
    # Spoof protection (reverse-path filter) 
    net.ipv4.conf.default.rp_filter = 1 
    net.ipv4.conf.all.rp_filter = 1  
    
    # Enable TCP SYN Cookie Protection 
    net.ipv4.tcp_syncookies = 1  
    
    # Do not accept ICMP redirects (prevent MITM attacks) 
    net.ipv4.conf.all.accept_redirects = 0 
    
    # Do not send ICMP redirects (we are not a router) 
    net.ipv4.conf.all.send_redirects = 0  
    
    # Do not accept IP source route packets (we are not a router) 
    net.ipv4.conf.all.accept_source_route = 0 
    
    # Log Martian Packets 
    net.ipv4.conf.all.log_martians = 1  
    
    # Disable IPV6 
    net.ipv6.conf.all.disable_ipv6 = 1 
    net.ipv6.conf.default.disable_ipv6 = 1 
    net.ipv6.conf.lo.disable_ipv6 = 1
    I have ufw setup in the following way:

    # sudo ufw status verbose
    Code:
    Logging: on (low) Default: deny (incoming), allow (outgoing) 
    New profiles: skip  
    22/tcp      LIMIT IN      Anywhere
    When checking logs i see the following block:

    #sudo tailf /var/log/ufw.log

    Code:
    [UFW BLOCK] IN=eth0 OUT= MAC=* SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
    I did the following:

    # sudo ifconfig -multicast

    Then i checked the ufw logs again and the block above was still being logged.

    The blocking action is good, i just don't know what it is that is causing it!

    I asked my virtual server provider what this ufw log meant and they said they didn't know!

    Can anyone tell me what this block represents?
    Code:
    [UFW BLOCK] IN=eth0 OUT= MAC=* SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
    I will be using this virtual server to run a web server with drupal so i want to make sure i understand the setup before i install the lamp server.

    I just need to understand what is being blocked and why. The logs show this blocking action every few seconds - continuously.

    Anyone?
    Last edited by histographik; November 26th, 2011 at 01:46 AM.

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,963
    Distro
    Ubuntu Development Release

    Re: 224.0.0.1 in ufw logs

    Have a look here: http://tldp.org/HOWTO/Multicast-HOWTO-2.html
    It is a multicast address. I block it also, but rarely, if ever, do I actually get any hits on the block.
    I hope this helps.

  3. #3
    Join Date
    Aug 2009
    Beans
    11

    Re: 224.0.0.1 in ufw logs

    Quote Originally Posted by Doug S View Post
    Have a look here: http://tldp.org/HOWTO/Multicast-HOWTO-2.html
    It is a multicast address. I block it also, but rarely, if ever, do I actually get any hits on the block.
    I hope this helps.
    Thanks for the info Doug, read through it.

    Could you tell me how you explicitly blocked it yourself?

    I have tried:

    sudo ufw insert 1 deny to 224.0.0.1 (trying to block outgoing to 224.0.0.1)

    But the logs show no change.

    Perhaps there is a more robust way of disabling multicast routing, perhaps in /etc/network/interfaces?

  4. #4
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,963
    Distro
    Ubuntu Development Release

    Re: 224.0.0.1 in ufw logs

    I do not use ufw, so do not know how with it. I only use iptables directly, here is the segment for the INPUT chain (for all undesireable sub-nets):
    Code:
    # remote interface, RFC 1918, private internet packets, and some others.
    #
    $IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub192:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j LOG --log-prefix "Sub10:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j LOG --log-prefix "Sub172:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j LOG --log-prefix "Sub240:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 240.0.0.0/5 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j LOG --log-prefix "Sub224:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 224.0.0.0/4 -d $UNIVERSE -j DROP
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j LOG --log-prefix "Sub169:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -s 169.254.0.0/16 -d $UNIVERSE -j DROP
    And I have similar in the FORWARD table (My server is also my router) (small portion only shown):
    Code:
    $IPTABLES -A FORWARD -o $EXTIF -s $UNIVERSE -d 224.0.0.0/4 -j LOG --log-prefix "F224:" --log-level info
    $IPTABLES -A FORWARD -o $EXTIF -s $UNIVERSE -d 224.0.0.0/4 -j DROP
    $

  5. #5
    Join Date
    Aug 2009
    Beans
    11

    Re: 224.0.0.1 in ufw logs

    Many thanks i'll translate these rules into ufw-speak and see if this works.

  6. #6
    Join Date
    Aug 2009
    Beans
    11

    Re: 224.0.0.1 in ufw logs

    I don't seem to be having any joy with this. No amount of dropping gets rid of the above log entry. As a newbie i guess i have lots more reading to understand what is happening here!!

    Here's another interesting point: The supplier of the server is 6sync.

    Code:
    Nov 26 21:56:01 monash kernel: [97526.759532] 
    [UFW ALLOW] 
    IN= 
    OUT=eth0 
    SRC=204.62.15.XXX (MY IP ADDRESS)
    DST=204.62.14.YYY  (NOT MY IP ADDRESS!!)
    LEN=72 TOS=0x00 
    PREC=0x00 
    TTL=64 
    ID=58369 
    DF 
    PROTO=UDP 
    SPT=45429 
    DPT=53 
    LEN=52
    What does this mean? It looks like the my virtual server (204.62.15.XXX) is initiating an outgoing packet to another server in the 6sync group (204.62.14.YYY).

    As a newbie I am probably reading this wrong?? Could anyone point me to a good read on understanding iptable/ufw logs?

    I use dyn.com for name resolution not 6sync. The destination port is 53 (DNS).

    Is the above a legitimate transaction for a server locked down with only an ssh port open and public/private keys used to login?
    Last edited by histographik; November 26th, 2011 at 04:20 PM.

  7. #7
    Join Date
    Sep 2007
    Location
    Oklahoma, USA
    Beans
    2,378
    Distro
    Xubuntu 16.04 Xenial Xerus

    Re: 224.0.0.1 in ufw logs

    It looks as if your virtual server is sending a packet out to another address, and receiving a multicast reply that is being blocked and logged. This may be related to your use of dyn.dns; all of the dynamic dns services presumably must maintain a dialog with your machine in order to detect any change of its IP address and correct their own tables. I use a different service myself so cannot say for sure how dyn.dns handles things, but a multicast response seems reasonable.

    The only way I know to tell for sure what is going on is to run "wireshark" on your system and examine the actual packets. The wireshark program can interpret packet contents for you and make things quite a bit more clear. It's in the repositories...
    --
    Jim Kyle in Oklahoma, USA
    Linux Counter #259718
    Howto mark thread: https://wiki.ubuntu.com/UnansweredPo.../SolvedThreads

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    2,963
    Distro
    Ubuntu Development Release

    Re: 224.0.0.1 in ufw logs

    It looks as though your 224.0.0.1 log entiers are because the UFW iptable rule blocked the packet, so I think that is doing what you want (and, sorry I perhaps added confusion yesterday, by not reading your original post thoroughly). It lookas though the packets are incoming, perhaps somehow related to your hosting service.
    Yes it does look as though your server is doing a DNS inquiry to 6 sync.
    There is a very good thread that Dangertux wrote here: http://ubuntuforums.org/showthread.php?t=1876124
    There are also some good references at the end of the DNS chapter in the Ubuntu server guide. (I prefer the PDF version)
    Oh, I see a reply from JKyleOKC was added. And yes, I agree it is proably time to use wireshark to gain further insight.

  9. #9
    Join Date
    Aug 2009
    Beans
    11

    Re: 224.0.0.1 in ufw logs

    Many thanks for the answers Doug S & JKyleOKC. Will investigate wireshark. The links were very helpful. I see light at the end of the tunnel...

  10. #10
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,260
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: 224.0.0.1 in ufw logs

    If you can't get wireshark to work (no reason why you shouldn't, except that it needs root privileges to perform packet capture) the tcpdump will work.
    Like this:
    Code:
    tcpdump -p -w capture.cap host 224.0.0.1
    Your first post says that the log says PROTO=2. Protocol 2 is IGMP - Internet Group Management Protocol. My guess is that it's the local router asking if there are any hosts interested in receiving multicasts - nothing to worry about. Tcpdump (without the -w option) will possibly print enough to tell you. Failing that, opening the capture file in wireshark will tell you.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •