Geek Answers Handbook

Using pfctl on Mac OS 10.11 (El Capitan) to forward ports

I am currently testing whether my development environment will work on the new Mac OS 10.11, and if I can upgrade as soon as it is released. On my test machine, I am currently running Beta Preview 3. Everything seems to be working fine.

I just can get pfctl to forward my ports. I use Vagrant and Parallels Desktop to run the Debian system for my local web server. Vagrant sends port 8080 to the host, up to 80 per guest. So 127.0.0.1:8080 working fine. But in some projects I want to have the same local domain as in production. (without: 8080) I also like it better .; -)

For this, I use pfctl to forward from 80 to 8080 to the host. Here are my configuration files:

~ / port forwarding /pf.conf

 rdr-anchor "forwarding" load anchor "forwarding" from "/Users/nick/port-forwarding/rules.conf"

~ / port forwarding /rules.conf

 rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 4433

To enable it, I ran:

 sudo pfctl -vnf ~/port-forwarding/pf.conf sudo pfctl -evf ~/port-forwarding/pf.conf

This gives me the following:

 pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. rdr-anchor "forwarding" all Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080 rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433 pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled rdr-anchor "forwarding" all Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080 rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433 pf enabled logout Saving session...completed.

sudo pfctl -s nat says:

 No ALTQ support in kernel ALTQ related functions disabled rdr-anchor "forwarding" all

So far it looks good, I think. But that just doesn't work.

127.0.0.1:80 - no connection 127.0.0.1:8080 - working

I use the same files on Yosemite and it works great.

Does anyone know if there was a change on how to use pfctl , or if I am doing something wrong or if there is an error that can be reported.

Thank you so much

Nick

+8
vagrant apache osx-elcapitan portforwarding macos
source share
1 answer

This only applies to OSX 10.11 - El Capitan - Public Beta 1

x-post from: https://superuser.com/questions/938999/osx-10-11-el-capitan-beta-pf-conf-behaviour-changed/943981#943981

In the latest version 10.11 beta 127.0.0.1 is blocked. Decision? Use 127.0.0.2. For this:

First add 127.0.0.2 to the alias loopback sudo ifconfig lo0 alias 127.0.0.2 up

Modify your pf rule to use the new alias. rdr pass proto tcp from any to any port 80 -> 127.0.0.2 port 8080

From the command line without using a file:

echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | pfctl -Ef - echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | pfctl -Ef - <- be sure to add the last checkmark, you are connected to STDIN)

+10
source share

More articles:


All Articles