block ip in from mac any to mac any where protocol is any - on or off ?

CIS 7.0.317799.4142

in Firewall > Global Settings, should “block ip in from mac any to mac any where protocol is any” be turned on or off?

not sure what this does and is currently off (default?)


If I’m not mistaken, a global rule is either allow or block. Do you mean allow or block instead of on or off?

Just to avoid any kind of misunderstandings, the check-boxes next to the rules aren’t “enable” / “disable”, they’re only selection check-boxes for when you want to do certain actions to several of the rules. You may or may not know that already but I don’t see any other way a rule can be present yet disabled?

here’s a screenshot

should i enable the Block IP In From MAC feature at the bottom?

if yes, i’m assuming that i put a checkmark in that box and click ok


[attachment deleted by admin]

The rule is already active, the checkboxes are NOT for enabling/disabling a rule, they are ONLY used to select multiple rules when you want to for example delete them. I’m not sure how to make that more clear.

To clarify what Sanya is saying, those rules are already established. The ones with the green checks are allow rules, and the one with the red symbol is a block rule. You can double click the rule to bring up it’s settings, in which you can change, rename it however you prefer. To delete the rule, you would then use the checkbox, pull up the options tab below the rulesets, and click remove.

This block / mac / in rule could cause issues if you need systems on your network to communicate with each other, example (file sharing or discovery). It would block other systems from communicating with that particular system you have the rule applied on.

I you want to communicate over the local network you need to make a Global Rule to allow incoming traffic of your local network.

many thanks, now i get it, the red marker is a block rule

thanks for the tip on double clicking to edit too

I would highly recommend blocking all ICMPv4/v6 in/out traffic as there are only a minute number of applications that require it and unless a person is connected to an enterprise network, ICMP should always remain blocked