Я написал скрипт позволяющий проходить с локальной сети наружу только одному MAC адресу
#!/bin/sh -

fwcmd="/sbin/ipfw"
${fwcmd} -f flush
${fwcmd} table all flush
${fwcmd} nat 1 delete

# NETWORK CONNECTIONS
if_inet="igb0"
if_lan="igb1"

# Local
${fwcmd} add allow all from any to any via lo0
${fwcmd} add deny all from any to 127.0.0.0/8
${fwcmd} add deny all from 127.0.0.0/8 to any

# NAT
${fwcmd} nat 1 config if ${if_inet} same_ports reset log
${fwcmd} add nat 1 ip from "table(0)" to any out via ${if_inet}
${fwcmd} add nat 1 ip from any to any in via ${if_inet}

# TABLE (0):
${fwcmd} add allow ip from any to any
${fwcmd} table 0 add 10.44.5.55. #(это ip c нужным mac адресом)

# MAC addresses to alow
# These only take effect if sysctl net.link.ether.ipfw=1
GOOD_MACS_F=" { MAC any 00:1c:c0:f1:cb:c8 }"
GOOD_MACS_T=" { MAC 00:1c:c0:f1:cb:c8 any }"

# Allow the ARP traffic from everyone
${fwcmd} add 4 allow ip from any to any layer2 mac-type arp

# Allow traffic from specific MAC addresses
${fwcmd} add 5 allow ip from any to any $GOOD_MACS_F in recv $if_lan

# Allow traffic to specific MAC addresses
${fwcmd} add 6 allow ip from any to any $GOOD_MACS_T out xmit $if_lan

# Allow all IP-level traffic
${fwcmd} add 7 allow ip from any to any via $if_lan

# Deny all MAC-level traffic
${fwcmd} add 8 deny ip from any to any MAC any  via $if_lan
Пакеты и пинг на нужную страницу проходят но страница не открывается. Почему? Где тормозит IPFW?
ipfw -at show
00004  1161   51570 Mon Jan 30 08:28:59 2017 allow ip from any to any layer2 mac-type 0x0806
00005   791  148912 Mon Jan 30 08:29:00 2017 allow ip from any to any MAC any 00:1c:c0:f1:cb:c8 in recv igb1
00006   400   56502 Mon Jan 30 08:29:00 2017 allow ip from any to any MAC 00:1c:c0:f1:cb:c8 any out xmit igb1
00007 14703 2307557 Mon Jan 30 08:29:00 2017 allow ip from any to any via igb1
00100     0       0                         allow ip from any to any via lo0
00200     0       0                         deny ip from any to 127.0.0.0/8
00300     0       0                         deny ip from 127.0.0.0/8 to any
00400   982  256760 Mon Jan 30 08:28:59 2017 nat 1 ip from table(0) to any out via igb0
00500  1920  316385 Mon Jan 30 08:29:00 2017 nat 1 ip from any to any in via igb0
00600 14455 2237783 Mon Jan 30 08:29:00 2017 allow ip from any to any
65535      0         0                         deny ip from any to any
Сайт  открывается если заменить 1 на 0 в команде sysctl net.link.ether.ipfw=0