mac blocking not working [NBZ]

Previous forum discussion:

Mac blocking not working.

The bug/issue

  1. What you did:
    The rules looks like this:
    For All applications:
    Allow IP In/Out From Not In [MAC3] To MAC Any Where Protocol Is Any
    Block And Log IP In/Out From MAC Any To MAC Where Protocol Is Any

Our aim is to prevent mac spoofing on the network. We sent packets using packETH. ICMP, TCP and UDP traffic. We monitored the traffic using wireshark on the sender machine and receiver.

In our setup we have all IP addresses on the same subnet. Our configuration is trying to block what is referred to as MAC3 below.

Scenario 1:
mac1:ip1 sending to mac2:ip2. works and is allowed.
mac3:ip3 sending to mac2:ip2. Not allowed. Mac3 is blocked successfully.

Scenario 2 : In this scenario we are able to bypass the firewall:
mac1:ip1 sending to mac2:ip2. Works and is allowed.
Seconds later:
mac3:ip1 sending to mac2:ip2. Works despite that mac3 should be blocked in the configuration. Here we spoof mac3 from the machine with ip1. ICMP is blocked like it should, but UDP and TCP bypass the firewall.

  1. What actually happened or you actually saw:
    Traffic is allowed in to a machine with a blocked mac address when sending data as described in Scenario 2.

  2. What you expected to happen or see:
    The traffic should be stopped as in scenario 1.

  3. How you tried to fix it & what happened:
    We checked that our configuration was correct but we could not solve it.

  4. If its an application compatibility problem have you tried the application fixes here?:

  5. Details & exact version of any application (execpt CIS) involved with download link:

  6. Whether you can make the problem happen again, and if so exact steps to make it happen:
    The procedure in Scenario 2 is reproducible.

  7. Any other information (eg your guess regarding the cause, with reasons):
    We suspect that the firewall does not inspect the mac address again as long as the traffic is sent within ip session timeout from first inspection. This goes for TCP and UDP where a session timeout is established.

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug:

  2. Screenshots of related CIS event logs and the Defense+ Active Processes List:

  3. A CIS config report or file. is our configuration file.

  4. Crash or freeze dump file:

Your set-up

  1. CIS version, AV database version & configuration used:
    latest to date updates we could find. 30 march 2011.

  2. a) Have you updated (without uninstall) from CIS 3 or 4:
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:

  3. a) Have you imported a config from a previous version of CIS:
    b) if so, have U tried a standard config (without losing settings - if not please do)?:

  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.):

  5. Defense+ off, Sandbox, Firewall & AV security levels: D+= custom policy, Sandbox= , Firewall = custom policy. Version 5.3.181415.1237 , AV = not installed.

  6. OS version Windows 7 professional, service pack 1, number of bits 32, UAC setting off, & account type: admin

  7. Other security and utility software installed: wireshark

  8. Virtual machine used (Please do NOT use Virtual box): none used for this test.

[attachment deleted by admin]

Could you please post what your firewall is set at.

  1. Defense+ off, Sandbox, Firewall & AV security levels: D+= custom policy, Sandbox= , Firewall = 5.3.181415.1237 , AV = not installed.

Firewall= Custom Policy or Safe Mode.

Thank you


it was set as custom policy.

Thank you for your bug report in the required format.

Moved to verified.

Thank you


Thanks guys! We have reproduced the issue, we will fix it ASAP!

any eta?

Is this issue fixed in version 5.4.189068.1354 ?