LAN config & IP block


I would like to make a PC inaccessible by some LAN IP, but not by others IP. How should I configure CIS 4?

How many computers?

Are the static IP to allow or block contiguous?
(If so, it is enough to define a appropriate network zone for lan, and to set rules for this zone, or even, easier, to set a global rule for the concerned ip and all protocols).

You could create a Global block rule IN:

IP ANY src not in [IP_allowed] dest src port ANY dest port ANY

This would block any IPs except the ones specified in the zone ‘IP_allowed’ access to any machines on the domain specified by


Establish a global allow rule OUT:

IP ANY src not in [IP_denied] dest in src port ANY dest port ANY

In that case any IPs, IP ranges, IP masks or MACS in the IP_denied zone could not access ANY IP on the 192.168.0 domain.

Clearly all of these rules must exist on each host on the domain and the domain needs to be adjusted as is appropriate for the network in question.

On the other hand the converse would work equally well:

Allow OUT IP ANY src dest not in [IP_denied] src port ANY dest port ANY

(Stops the entire domain from getting to zone ‘IP_denied’ - but permits access to all other hosts on domain).


Block IN IP ANY src dest not in [IP_allowed] src port ANY dest port ANY

(Stops any incoming if the host that the rule is on isn’t in the zone defined by ‘IP_allowed’)

You could mix and match all foregoing and aforementioned rules to get pretty selective about who goes where, and where whom can go, i.e, rules needn’t be mutually exclusive. In that case its important to order the rules from general to specific (the first rule encounterd -top to bottom - that fits will execute).

You PC is inaccessible from the LAN by default (V3 CIS) so you only have to make rules for the IPs that are allowed to access…

Works fine for me…