Comment 7 for bug 720605

Right, and after thinking about all this, I do not want to blindly allow all multicast. I only want to allow mDNS multicast (for service discovery), which was always the intent of these lines. Therefore to fix for mDNS only, before.rules will get:
-# allow MULTICAST, be sure the MULTICAST line above is uncommented
--A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
--A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
+# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
+# is uncommented)
+-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

and before6.rules will get:
-# allow MULTICAST
--A ufw6-before-input -p icmpv6 -s ff00::/8 -j ACCEPT
--A ufw6-before-input -p icmpv6 -d ff00::/8 -j ACCEPT
+# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
+# is uncommented)
+-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT

Then to fix this bug, I will add this to before6.rules, just before the INVALID rules:
+# for multicast ping replies from link-local addresses (these don't have an
+# associated connection and would otherwise be marked INVALID)
+-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -s fe80::/10 -j ACCEPT