MAC Filtering (layer 2 address filtering) refers to a security access control methodology whereby the 48-bit address assigned to each network card is used to determine access to the network. Iptables, pf, and IPFW can block a certain MAC address on a network, just like an IP. One can deny or allow from MAC address like 00:1e:2a:47:42:8d using open source firewalls. MAC address filtering is often used to secure LAN or wireless network / devices. Is this technique effective?

Short answer – NO.

Long answer

Personally, I do not use and recommend MAC address based filtering. MAC address can be easily spoofed under each and every operating system out there. So I was wondering why anybody want to use MAC-based filtering? You can easily filter IPv4 or IPv6 IP address. My formula is as follows to filter and control bad stuff:

For Servers:

  1. Throttle network connections using firewall, operating system control mechanisms, and applications control mechanisms.
  2. Set connection rate per IP, do not allow unlimited access to any public service.
  3. Drop abusing netblocks at router / edge level.
  4. Drop bad IPs using Iptables / pf firewall. Use DMZ if required. Use proxy layer if required.
  5. Disable unwanted services.
  6. Monitor public services using open source tools, IPS and/or custom scripts.
  7. Default policy deny all & open required ports, least privilege policy for all applications, users and anything that can communicate over network.

For Wireless networks and Desktops

  1. Always use WPA / WPA2 with TKIP or AES encrypting with a strong passphrase
  2. Change your passphrase every month
  3. Disable stupid UPnP
  4. Disable your wireless router’s remote management and ssh / telnet port features.
  5. Turn on firewall, port scan and DoS protection
  6. Windows / Mac OS X user should always use an anti virus, firewall / internet security suite. Keep your operating system and virus databases always up to date.
  7. Use VPN or SSH while communicating with Linux / Windows servers.
  8. Use secure SMTP, IMAP or POP3 version for email communication. Most ISP and free service such as gmail support secure version of email protocols.

Personally, If I found anyone breaking the security polices, I would warn them. In some case I recommend firing them. I don’t care if it is small break or anything else. If you are willing to break the IT security policies why should you be trusted? Hire a third party or constant to evaluate your current security policy.

What do you think? Do you use MAC based filtering?

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 15 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
15 comments… add one
  • VonSkippy Feb 17, 2009 @ 22:36

    “Change your paraphrase every month”

    Shouldn’t that be “Change your PASSphrase every month”?

    And no, Mac Filtering is pretty much a waste of time since it’s so easy to bypass.

  • 🐧 nixCraft Feb 18, 2009 @ 7:45


    Thanks for the heads up.

  • mhernandez Feb 18, 2009 @ 8:08

    I use MAC filtering just as an additional security measure. As you could’ve mentioned,

    ifconfig wlan0 hw ether 12:34:56:78:9a:bc

    will do the trick but my home network is easy enough to configure, so I don’t see why not making my AP a little bit more secure.

  • ble Feb 18, 2009 @ 8:22

    in most networks it’s also easy to just change your IP, usually easyer than changing you mac adress, not everyone can use “ip verify” from cisco :p

    If you know a good way to not allow changing ip’s please tell me.

  • 🐧 nixCraft Feb 18, 2009 @ 8:30

    @ ble,

    Use authenticated password protected gateway to provide access to office and people working from home. BSD authpf or expensive Cisco device can do the job. This is what we do at work. You will get access to Intranet, LAN and server racks only after you authenticate yourself. We do not use IP / MAC (layer 2 / 3 ) based filtering at all. To make authentication harder we use RSA keys. So password is like password+RSAKey. RSA key changes every 10 / 30 seconds. So you have to specify unique password for each login.

    Try authpf or Authentication Gateway using iptables. No need to spend your time with stupid Mac filtering.

  • Tudorminator Feb 18, 2009 @ 11:23

    I use MAC filtering in addition to the other measures. The way I see it, it’s just like another password, on top of all the others. Anyone trying to get access to the network would have to know the allowed MAC addresses in order to spoof them. Are you saying that it is possible to somehow obtain the list of allowed MACs from the firewall/router?

  • Tapas Mallick Feb 18, 2009 @ 12:12

    Will you please publish on “Throttle network connections” and “Set connection rate per IP” in any upcoming article for IPTABLES based firewall ?

  • loophole Feb 18, 2009 @ 13:15

    I see little point in doing MAC-filtering firewall wise cause MAC’s are to easy to spoof. But for small networks their is a quite simple solution. Just set static mac address using “ip” command on linux. But also need fixed ip’s for that.

    On a switch base MAC-filtering per Port is a nice feature I got on my procurve 2626 . Once you have a mac set for a port no other mac is allowed for that port.


  • ZebraSnarl Feb 18, 2009 @ 16:33

    If someone wanted to get the MAC addresses from your network, all they would have to do is ping the clients with a app like arping.

    In the dorm days, installed win98 on a PC for a buddy. The authentication software was not support on win98, so we spoofed MAC addresses to get him on the network.

  • Superhuman Feb 19, 2009 @ 5:46

    For one, don’t let your wireless AP do DHCP, don’t do DHCP on your LAN at all. Static assign all IPs.
    Use a non standard private network eg Makes it harder for outside people to guess your configuration.
    Only allow certain IPs access to the outside, by putting in a firewall box between the wireless AP and the LAN, or between the LAN and the router. Have ACL’s, always have ACL’s.

    Wireless is unsecure, no matter how good your security is.

  • ezeze5000 Feb 22, 2009 @ 2:29

    This could be something else that might help.
    If you only need wireless at certain times, you might try just turning off the wireless when it’s not needed. That will narrow the window of opportunity for unauthorized access.
    multiple layers of protection can’t hurt.
    Just my 2 cents worth.

  • Tudorminator Feb 27, 2009 @ 11:22

    arping works only in the context of the local network, as detailed here. There are no concerns there, I have complete control over the machines inside my network. I was asking if there’s any way that someone outside my network would be able to probe my wireless router and somehow get the list of MAC addresses it allows to connect.

  • miguimon Mar 14, 2009 @ 5:48


    yeah I am sure there is a way to get at least some MAC addresses on your wireless network from outside. For example, you could use aircrack-ng suite using airodump-ng you start monitoring the target by channel or AP and if you are lucky enough you will get active clients with their correspondent MAC.

    I use MAC address filtering as well as a extra protection measure to protect my wireless network but I know is totally useless if you have little knowledge.

  • Stupid Sr. Software Engineer Mar 31, 2009 @ 16:53

    Ooo RSA Keys! Love ’em. What I’d really like is if it could change the password every 2 or 3 nano seconds. Plus our I.T. group has implemented a REAL filewall. They dug a trench around our server and poured gasoline in there and set it ablaze. Then put a razorwire fence fence around that. Our system is the pinnicle of security now. NOBODY get’s in… EVER. I love our I.T.
    I used to have an 11 character password with Mixed case/ Numbers / Special characters. To brute force my password would require tens of trillions of attempts. And it was locked in my head..and I could type it in a flash. Now my password has to change every month and the only way I can remeber it is if I WRITE IT DOWN.

    I used to keep a post it note under my keyboard or on my screen with Username and Password… Oh it wasn’t a really my username and password. I just like to piss off I.T. snoops. What could be better than feeding a potential threat disinformation.

  • Jul 20, 2016 @ 15:04

    “Personally, I do not use and recommend MAC address based filtering”
    Are you serious ?

    There is no more efficient from protecting MITM attacks than MAC address based filtering !

    Under Linux, arptables is really wonderful to block access to unknown equipment
    A spoof of a MAC address is really fast to detect, because spoofed MAC has no more access to network.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum