how to allow by MAC

Ian Smith smithi at
Wed Jun 13 08:56:41 UTC 2012

On Mon, 11 Jun 2012 15:18:18 -0700, Randal L. Schwartz wrote:
 > >>>>> "Bill" == Bill Yuan <bycn82 at> writes:
 > Bill> I want to create a white list MAC address,  Only the machine which it's MAC
 > Bill> in the white list will be allowed,  all others will be blocked.
 > Bad idea.  Since (a) every MAC address that *is* allowed is transmitted
 > in the clear and (b) it's trivial to spoof a MAC address.
 > This. is. no. security.

Indeed, that's right Randal.  But I got the impression from Bill's mails 
that this is more likely just something inside his internal network.

 > Please stop even trying.

Well I don't think learning how to use ipfw properly at layer2 is a bad 
idea in itself, and I wouldn't want to discourage anyone from that.

For some years I ran a filtering transparent bridge with ipfw + dummynet 
for a small network of about 20 mostly W98, XP and Mac boxes sharing one 
slow ADSL gateway between various assorted community groups (talk about 
herding cats! :) and MAC filtering was one of the handiest tools when 
some box or other got owned (again!) by some virus and started spewing 
spam, provider complains and/or cuts access .. you know the deal.

In that sort of environment, none of the punters had any clue about 
forging MACs or anything vaguely like that, and it stopped people 
randomly plugging boxes into the network.  Horses for courses.

I replied in more detail to another from Bill privately, copy follows.

cheers, Ian

More information about the freebsd-questions mailing list