Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 5550 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Create Rule for "BJNP" Protocol / Multicast

AlatarK

So after seven years of happily using UTM I thought I had all pretty well down pat, but now I find myself in a state of confusion.

Someone has added a Mac Pro onto a subnet here, and I suddenly am getting lots of log entries like "Default Drop  BNJP <New System's IP> 224.0.0.1:8612". Looking up 8612, most sources say that BJNP means (Canon) BubbleJet Network Protocol (and the owner says there was a Canon printer installed on it some time back), but a few claim it's actually Bonjour.

See https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/41766/bjnp---default-drops-for-mac-client, for example.

The answer given there -- turn it off on the Mac Pro -- isn't an option for me here, so I just want it out of the logs.

Which brings me to the problem: there doesn't seem to be any way to get it out of the logs. You would expect that a Drop LocalSystem > BJNP > Any with no logging, placed at the top of the rules, would remove it from the logs, but it doesn't. Neither does adding a new protocol for TCP/UDP dest port 8612 catch it.

In fact, the only way I can find to remove it is a rule like Drop LocalSystem > Any > 224.0.0.1, which I don't want, because there might be other valid packets to 224.0.0.1 (athough, admittedly, if I understand correctly that's the special Multicast "All Computers" destination, so the UTM should neither process it nor pass it through anywhere).

Is BJNP perhaps something other than standard UDP/TCP?

 

Thanks for any enlightenment,

Paul



This thread was automatically locked due to age.
  • 0

    Ok, I've found some info on it in old Ethereal (now Wireshark) correspondence. It says that it is a Canon discovery protocol and it's UDP 8612. Indeed, if I create a service definition like that and Drop it, it works.

    But if I use the default BJNP service definition entry, it does not.

    Checking this, I see the original service definition is for TCP 8612, which explains why it didn't work. I had believed this to be a default (e.g. predefined) service that came with the UTM, but checking another UTM shows that it's not. Someone (maybe even me) must have entered it, incorrectly as TCP rather UDP, years ago for a similar issue.

    In a future incarnation maybe the software might distinguish between predefined and user-created services, which might make it more obvious, but in the meantime, mea culpa. Apologies! 

Unfiltered HTML