1

I have a MariaDB database server which is a node of my Galera Cluster and when I look at /var/log/ufw.log file, I see a lot of UFW_BLOCK logs for clients IP addresses which were connected to database and made operations successfully. I am also connecting to the database from my machine and I see that my IP address is also logged as UFW_BLOCK but I had no error or any other interrupt during my connections to the database. I also saw some IP addresses which are logged with UFW_BLOCK that I don't know. When I searched and checked these IP, I saw that they were IP addresses of Switches of LAN. Why is that happening and what should I do? Does this situation makes problem? Should I allow these IP addresses on iptables?

An example log is here:

Mar 3 12:14:47 DB-Srv1 kernel: [6300510.451352] [UFW BLOCK] IN=ens160 OUT= Mac=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xx.xx.85.222 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=19898 PROTO=2
TarabydaVllasıCafcaflıAtArabsı
  • 343
  • 1
  • 2
  • 7

1 Answers1

0

For TCP connections, Linux tends to use a "half-duplex" close sequence where either side of the session can initiate connection termination via a single 2 way FIN-ACK handshake (which puts the connection into the CLOSE_WAIT state), instead of a full 4 way FIN-ACK handshake. With a router in between, this often leads to one end forgetting about the connection before the other, leading to the UFW_BLOCK messages you are observing.

You did not provide any examples, so this answer is not for certain. Look at the TCP flags in your log entries to see if they are session termination related. Or edit your question adding some examples.

EDIT:

The example log entry provided is a multicast packet. Completely unrelated to any of your useful client packets.

You might also observe packets to which my the original answer applies.

Doug Smythies
  • 16,146