At the moment, there is only one way to check a packet's src or dst MAC addresses in ipfw - mac dst-mac src-mac command.
If you want to check a packet against many MAC addresses, you have to add a rule for every of them.
It can be quite slow, e.g. https://lists.freebsd.org/archives/freebsd-ipfw/2021-August/000078.html
By analogy with IP address matching, I've implemented a way to use ipfw radix tables for MAC matching.
I've added a new ipfw table with mac:radix type, and added src-mac and dst-mac lookup commands.
- ipfw table 1 create type mac
- ipfw table 1 add 11:22:33:44:55:66/48
- ipfw add skipto tablearg src-mac 'table(1)' or ipfw add deny src-mac 'table(1, 100)'. ipfw add deny lookup dst-mac 1 syntax is also supported.
Notice that you need to set sysctl net.link.ether.ipfw=1 to enable ipfw filtering on L2 level.