How to block MAC address in pf firewall

I want to block particular MAC address on PF firewall. I know PF firewall works on the Layer 3 i.e it operates on the IP addresses rather than MAC address.But is there any way to block the MAC address on pf firewall

Solution 1:

No, there isn't.

You know that it's trivial for people to change their MAC addresses, correct? Additionally, the instant a packet passes through a later 3 routing device, the Mac address information of the source machine is lost. So even if you did want to do something like this, it would only ever work for clients that are on the same L2 LAN as your server.

What are you actually trying to accomplish here?

Solution 2:

To do that you have to tag the ethernet frame. (http://www.openbsd.org/faq/pf/tagging.html)

Tagging can be performed at the Ethernet level if the machine doing the tagging/filtering is also acting as a bridge(4). By creating bridge(4) filter rules that use the tag keyword, PF can be made to filter based on the source or destination MAC address. Bridge(4) rules are created using the ifconfig(8) command.

Example:

# ifconfig bridge0 rule pass in on fxp0 src 0:de:ad:be:ef:0 tag USER1

And then in pf.conf:

pass in on fxp0 tagged USER1

and EEAA is right, there's no real security here.

change your mac address like this

ifconfig eth0 hw ether 02:01:02:03:04:08