Is there a way to block a certain MAC address on a network, or otherwise control it, as you would with an IP?

deny from 00:00:AB:CD to mybox port 80

...that kind of thing. I use PF but a separate thing wouldn't bother me if need be.

Yes, with transparent firewalling PF can be made to filter based on the source or destination MAC address. See
http://www.openbsd.org/faq/pf/tagging.html

In order to do that, do I need to configure the machine as a bridge?

The machine is a router in my home; I want to be able to block certain MAC addresses from connecting to it, not unlike blocking a specific IP. I am not looking to bridge the inside and outside networks.

I think there is some ongoing work to support layer 2 filtering in ipfw. I'm not sure about its state though.

Hi
ipfw supports layer 2 filtering.
the keyword is "layer2"

check ipfw(8)

layer2 Matches only layer2 packets, i.e., those passed to ipfw from
ether_demux() and ether_output_frame().

net.link.ether.ipfw: 0
Controls whether layer-2 packets are passed to ipfw. Default is
no.

net.link.bridge.ipfw: 0
Controls whether bridged packets are passed to ipfw. Default is
no.

good luck ;)

To change a MAC address is so easy. Even on Windows 95 this was easily done by an inexperienced user (I'm talking about myself, consider that back then I was barely a teenager).

So I wonder why you'd want to use MAC-based filtering. On layer 3 you can be certain that certain IPs come from a certain network and treat them accordingly.

I was just about to ask the same thing as kamikaze...

I think as additional(!) measure (filtering based on the ip && mac) in a home setup it could be useful. Just to confuse unmotivated attackers in the neighborhood. But not as the first thing in securing the own systems. Another idea could be filtering incoming traffic based on the mac-address of the upstream router (allowing only them) when your external interface is on a shared ip-subnet and you can't control the upstream router. Or filtering out arp-requests from unknown (bad) mac-addresses to prevent others seeing your mac-address before they begin arp-spoofing... Maybe I'm wrinting bullshit at this time of day, never implemented filtering at layer-2 excessivly, just writing down some ideas. So it would be a nice-to-have feature, but with such things you can confuse yourself too (much). ;)

@Pushrod: You already considered using static arp to solve your problem?

cheers,
honk

One major flaw I see in the OSS/nerd communities is always having to give a reason. Who cares why; I wanted to know if it can be done.

One major flaw I see in the OSS/nerd communities is always having to give a reason. Who cares why; I wanted to know if it can be done.

And one thing you learn when helping people in the OSS/nerd community is that there are people who ask something complex to solve a simple problem, for which there is a simple solution.
These two obviously bite each other, and neither is a flaw, it's humanity.

For example, I had a similar issue on my wireless network. A machine was left on, attracted a virus and owners were on vacation (legitimate user). Instead of blocking the MAC, I told the DHCP server to send default-router 127.0.0.1. The traffic stopped and didn't even hit router's IP stack. I could also have told the DHCP server to issue a fixed IP and block that IP, if I was interested in monitoring.

Obviously, if you're fighting people that know their way around and don't use DHCP, this isn't gonna work.

I've worked on improving layer2 filtering capabilities in ipfw and pf during summer of code 2008. The code is now is projects repository: http://svn.freebsd.org/viewvc/base/projects/l2filter/
And is going to be commited into main repo

Some examples can be found here: http://blogs.freebsdish.org/gleb/

Hope that helps you ;)