These UFW Block messages on my local network devices were driving me nuts. I have fairly restrictive UFW firewall rules on all network devices running Linux, but after the initial set up, logs have been clean...until recently.
Feb 27 17:56:43 kestrel kernel: [22921.097783] [UFW BLOCK] IN=enp0s31f6 OUT= MAC=[...] SRC=192.168.0.1 DST=220.127.116.11 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 Feb 27 12:30:57 firefly kernel: [512478.941999] [UFW BLOCK] IN=eth0 OUT= MAC= SRC=192.168.0.50 DST=18.104.22.168 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Now the above error messages spam my logs exactly every 2 mins. I use Rsyslog to stream all system logs from different network devices to my primary laptop. This allows me to quickly check if all devices and smartmon-monitored disks are in good health.
I tried several things to fix the issue — added "Bonjour" and "Multicast DNS" application rules, whitelisted TCP and UDP traffic for those routes. Nothing worked. Since the log messages did not include the port, I couldn't say what application was involved. I could tell it had something to do with multicast, since the traffic was always destined for the
Finally, I discovered IGMP (Internet Group Management Protocol) — an Internet Layer protocol that doesn't use a transport layer. Now that the reason my TCP/UDP targetted rules were failing became clear, the solution also became apparent.
ufw allow from 192.168.0.0/24 to 22.214.171.124/24 proto igmp
192.168.0.0/24 with your local IP subnet.
I'm not sure about OS version support for the last
proto igmp bit. I can only confirm that this works on Linux Mint 20.3 Una / Ubuntu 20.04.4 LTS (Focal Fossa).
The whole issue likely started because of a router firmware update last month that enabled a device auto-discovery feature.