These UFW Block messages on my local network devices were driving me nuts. I have fairly restrictive UFW firewall rules on all network devices running Linux, but after the initial set up, logs have been clean...until recently.

Feb 27 17:56:43 kestrel kernel: [22921.097783] [UFW BLOCK] IN=enp0s31f6 OUT= MAC=[...] SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2

Feb 27 12:30:57 firefly kernel: [512478.941999] [UFW BLOCK] IN=eth0 OUT= MAC= SRC= DST= LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

Now the above error messages spam my logs exactly every 2 mins. I use Rsyslog to stream all system logs from different network devices to my primary laptop. This allows me to quickly check if all devices and smartmon-monitored disks are in good health.

I tried several things to fix the issue — added "Bonjour" and "Multicast DNS" application rules, whitelisted TCP and UDP traffic for those routes. Nothing worked. Since the log messages did not include the port, I couldn't say what application was involved. I could tell it had something to do with multicast, since the traffic was always destined for the range.

Finally, I discovered IGMP (Internet Group Management Protocol) — an Internet Layer protocol that doesn't use a transport layer. Now that the reason my TCP/UDP targetted rules were failing became clear, the solution also became apparent.

ufw allow from to proto igmp

Replace with your local IP subnet.

I'm not sure about OS version support for the last proto igmp bit. I can only confirm that this works on Linux Mint 20.3 Una / Ubuntu 20.04.4 LTS (Focal Fossa).

The whole issue likely started because of a router firmware update last month that enabled a device auto-discovery feature.