Without MAC address filtering, any wireless client can join (authenticate with) a Wi-Fi network if they know the network name (also called the SSID) and perhaps a few other security parameters like encryption keys. When MAC address filtering is enabled, however, the access point or router performs an additional check on a different parameter. Obviously the more checks that are made, the greater the likelihood of preventing network break-ins.
To set up MAC address filtering, you as a WLAN administrator must configure a list of clients that will be allowed to join the network. First, obtain the MAC addresses of each client from its operating system or configuration utility. Then, they enter those addresses into a configuratin screen of the wireless access point or router. Finally, switch on the filtering option.
Once enabled, whenever the wireless access point or router receives a request to join with the WLAN, it compares the MAC address of that client against the administrator's list. Clients on the list authenticate as normal; clients not on the list are denied any access to the WLAN.
MAC addresses on wireless clients can't be changed as they are burned into the hardware. However, some wireless clients allow their MAC address to be "impersonated" or "spoofed" in software. It's certainly possible for a determined hacker to break into your WLAN by configuring their client to spoof one of your MAC addresses. Although MAC address filtering isn't bulletproof, still it remains a helpful additional layer of defense that improves overall Wi-Fi network security.
Do not confuse MAC address filtering with content filtering. Content filtering on a wireless access point or router allows administrators to maintain a list of Web site URLs or addresses that should not be accessed from the home WLAN.