blocking MAC address with ipfw ?

John Pettitt jpp at
Mon May 2 20:26:06 PDT 2005

faisal gillani wrote:

>how can i block a MAC address with ipfw ?
>can you share the syntax please ?
man ipfw reveals ...

            { MAC | mac } dst-mac src-mac
             Match packets with a given dst-mac and src-mac addresses,
             fied as the any keyword (matching any MAC address), or six
             of hex digits separated by colons, and optionally followed by a
             mask indicating the significant bits.  The mask may be
             using either of the following methods:

             1.      A slash (/) followed by the number of significant bits.
                     For example, an address with 33 significant bits
could be
                     specified as:

                           MAC 10:20:30:40:50:60/33 any

             2.      An ampersand (&) followed by a bitmask specified as six
                     groups of hex digits separated by colons.  For example,
                     an address in which the last 16 bits are significant
                     could be specified as:

                           MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any

                     Note that the ampersand character has a special meaning
                     in many shells and should generally be escaped.

             Note that the order of MAC addresses (destination first, source
             second) is the same as on the wire, but the opposite of the one
             used for IP addresses.


 ipfw add 999 deny MAC any 10:20:30:40:50:60/33

would be a valid rule.

