Using pfctl on Mac OS 10.11 (El Capitan) to forward ports
Asked Answered
E

1

10

I am currently testing if my developing environment will run on the new upcoming Mac OS 10.11 and if I can upgrade as soon as it's released. On my test machine I am currently running the Beta Preview 3. Everything seems to be running fine.

I just can get pfctl to forward my ports. I use Vagrant and Parallels Desktop to run a Debian system for my local web server. Vagrant forwards port 8080 on the host to 80 on the guest. So 127.0.0.1:8080 works fine. But in some projects I want to have the exact same domain local as it will be in production. (without the :8080) Also I just like it more. ;-)

To do that I use pfctl to forward 80 to 8080 on the host. Here are my config files:

~/port-forwarding/pf.conf

rdr-anchor "forwarding"
load anchor "forwarding" from "/Users/nick/port-forwarding/rules.conf"

~/port-forwarding/rules.conf

rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 
rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 4433 

To enable it, I run:

sudo pfctl -vnf ~/port-forwarding/pf.conf
sudo pfctl -evf ~/port-forwarding/pf.conf

This gives me this:

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

rdr-anchor "forwarding" all

Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
rdr-anchor "forwarding" all

Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433
pf enabled
logout
Saving session...completed.

sudo pfctl -s nat says:

No ALTQ support in kernel
ALTQ related functions disabled
rdr-anchor "forwarding" all

So far it looks good, I think. But it just does not work.

127.0.0.1:80 - no connection 127.0.0.1:8080 - works

I use the same files on Yosemite and it works fine there.

Does anyone know if there's been a change on how to use pfctl or if I am doing something wrong or if there's a bug which can be reported.

Thanks a lot

Nick

Enwreathe answered 20/7, 2015 at 13:6 Comment(1)
Someone asked about it on superuser and this comment in particular might help if you are willing to change the ports you are forwarding to. You may want to follow the post anyway, as it belongs there more than on stackoverflow.Piscatory
C
12

This only applies to OSX 10.11 - El Capitan - Public Beta 1

x-post from: https://superuser.com/questions/938999/osx-10-11-el-capitan-beta-pf-conf-behaviour-changed/943981#943981

In the latest 10.11 beta, 127.0.0.1 is blocked. The solution? Use 127.0.0.2. To do this:

First add 127.0.0.2 to the loopback alias sudo ifconfig lo0 alias 127.0.0.2 up

Modify your pf rule to use the the new alias. rdr pass proto tcp from any to any port 80 -> 127.0.0.2 port 8080

From the command line, without using a file:

echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | pfctl -Ef - <-- Be sure to add this last tick, you're piping in STDIN)

Celio answered 22/7, 2015 at 18:0 Comment(3)
I just upgrades to 10.11 Beta 4 and it seems to be working as it did before.Enwreathe
make sure you use sudo: echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | sudo pfctl -Ef -Waterloo
Just as a note for others looking, 127.0.0.1 does not appear to be blocked within the public release versions of El Capitan, for example on OS X 10.11.5. I have been able to successfully setup pf-based local loopback forwarding against 127.0.0.1 on El Capitan.Nievesniflheim

© 2022 - 2024 — McMap. All rights reserved.