No, sorting or determining a pattern in the MAC address isn't a feasible way to map to model of Apple product.
Over years of watching MAC addresses on networks as well as the explosion of devices on the iOS end of things, if there were a nice pattern, it would start showing in deployments with hundreds of devices.
For example, I have one Mac that has data on about 1,000 iOS devices that have been connected over time to that Mac while iPhone configuration utility was running. Looking at the data now, there are no clear patterns to help differentiate between the device types.
This also applies to Macs. Sadly, my data here is in the hundreds and not thousands presently. Yes - a string of MacBooks when ordered together will usually have sequential addresses (more so than sequential serial numbers in fact) - but over time, the iMacs seem mixed in with the Airs and the MacBook Pro.
It could be that there is some encoding present and no-one has stumbled across which bits are coded with model numbers, but a simple sort of the MAC addresses has the devices all jumbled up. Perhaps if you can find someone that runs the mobile device management software for a very large company or school district and see if they are curious enough to see if a larger data set would yield some better results for you.
I haven't seen a case where a Mac and an iOS device share the same smaller block of MAC addresses, but I can't even rule that out for you based on my experience running networks that log MAC address and are in a position to know what hardware is associated with which MAC address over the years.
My guess is the addresses are issued sequentially rather than by final destination. It would make sense to dole out parts of each region to factories that are expected to make 5 or 10 thousand devices in the next month and onle issue more once the existing addresses are consumed. If so, we might have better luck trying to bin the numbers by approximate manufacturing date rather than by where it ends up in a shipping product. Also consider on the Mac end, repairs often give a new MAC address to portables and even desktop Macs when the ethernet controller is replaced.
My friend, if memory serves me well, you will need to add
net.inet.tcp.icmp_may_rst=0
to /etc/sysctl.conf, and then modify the running kernel-
sudo sysctl -w net.inet.tcp.icmp_may_rst=0
That should do the trick. If no /etc/sysctl.conf exists, here is a shortcut:
sudo echo “net.inet.tcp.icmp_may_rst=0” >> /etc/sysctl.conf
sudo chmod 644 /etc/sysctl.conf
Hope that resolves the inconsistency with PF.
F.
Best Answer
I highly recommend Little Snitch. Although it doesn't do anything you couldn't do with free tools, it makes monitoring, configuring, and blocking your system's outgoing traffic on a per-application basis ridiculously easy.
I'm a programmer, and one of those guys who always has a Terminal window open, and yet I still prefer using Little Snitch for this task.
It's not free, but it is cheap. And the free trial is fully functional - the only caveat is you have to manually restart it every 3 hours.
That would probably be all you need to open all your Apple-branded apps and verify whether or not they're phoning the mothership.
And if they are phoning any address outside the 17.x.x.x range, you'd learn that really quick.