Adding block rule confusion (MAC and IP)

Hi,

I’ve been using v3 for sometime and just upgraded to v5.

What I don’t understand is why I cannot add a rule by IP ANY and not MAC ANY. In v3 by default it will add a rule by IP ANY.

After I rebooted after the installation I was prompted that SVCHOST.EXE wants to connect to something like ff02 (instead of showing an IP address)… I don’t know what address is this. I already have a outgoing IP rule for SVCHOST. If I allow the above prompt I mentioned then it will add “ALLOW IP OUT FROM MAC ANY TO MAC ANY WHERE PROTOCOL IS ANY” as well.
Likewise if I manually add a block rule with Any Address, it will add “BLOCK IP OUT FROM MAC ANY TO MAC ANY WHERE PROTOCOL IS ANY” instead of IP ANY.

Also in my firewall logs, sometimes my machine IP is displayed with my mac address rather than IP. I hope this makes sense.

Running on Windows 7.

Hi bdrum,

Welcome to the forums!

MAC is there to support IPv4 and IPv6 rules to match “ANY” based on the MAC of the interface, so MAC got introduced when the IPv6 code entered CIS.

Second the ff02: etc addresses are IPv6 based and as this is the first version to support IPv6 they start to show up now.

You can find more about IPv6 here:

Thank you for the quick response :slight_smile:

I read that using rules based on MACs is not good?

Ok for example right now onmy SVCHOST rule, I have 2 rules; one for “ALLOW IP OUT FROM MAC ANY TO MAC ANY WHERE PROTOCOL IS ANY” which was created by v5 and another rule that is exactly the same except with IP instead of MAC that was created when I was use using v3 (I imported the settings from v3). Does that mean I can delete the IP one and keep the MAC one as it’s obsolete now?

Thanks.

May I ask where you read that?

Ok for example right now onmy SVCHOST rule, I have 2 rules; one for "ALLOW IP OUT FROM MAC ANY TO MAC ANY WHERE PROTOCOL IS ANY" which was created by v5 and another rule that is exactly the same except with IP instead of MAC that was created when I was use using v3 (I imported the settings from v3). Does that mean I can delete the IP one and keep the MAC one as it's obsolete now?

Thanks.


Yes those rules are redundant, even more if you double-click on the IP rule and apply it it will change automatically to MAC because they build this in the GUI.

The rule you have will allow svchost.exe to connect to any IP (v4 & v6) on any port.

I read that here when searching about MAC addresses :smiley:

Ok thank you for your help :slight_smile:

Well if you hop on to loads of different networks etc it might have a downside, but then again do you create new rules for every network you connect to? It’s all about balance in security v.s. usability how tight one would create his/her FW rules…