Skip to content

Instantly share code, notes, and snippets.

@kujohn
Last active November 6, 2024 06:39
Show Gist options
  • Save kujohn/7209628 to your computer and use it in GitHub Desktop.
Save kujohn/7209628 to your computer and use it in GitHub Desktop.
Port forwarding in Mavericks

Port Forwarding in Mavericks


Since Mavericks stopped using the deprecated ipfw (as of Mountain Lion), we'll be using pf to allow port forwarding.

####1. anchor file Create an anchor file under /etc/pf.anchors/<anchor file> with your redirection rule like:

rdr pass on lo0 inet proto tcp from any to 127.0.0.2 port 80 -> 127.0.0.1 port 40070

####2. Test the anchor file Parse and test your anchor file to make sure there are no errors:

sudo pfctl -vnf <anchor file>

####3. Reference the anchor in pf.conf /etc/pf.conf is the main configuration file that pf loads at boot. We'll need to load the anchor file we previously created:

rdr-anchor "forwarding"
load anchor "forwarding" from "/etc/pf.anchors/<anchor file>"

Make sure to add these entries to the appropriate spot.

####4. Load and enabling pf pf is not enabled by default in Mavericks, few ways to enable this:

  • Manually load and enable from a pf.conf file via sudo pfctl -ef <pf.conf file>

  • Auto enable by creating a launch daemon via this doc to run pfctl -ef <pf.conf file> on boot.

  • Auto enable by adding an -e(enable) to the pfctl ProgramArgument in /System/Library/LaunchDaemons/com.apple.pfctl.plist like this:

<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-e</string>
<string>-f</string>
<string>/etc/pf.conf</string>
</array>

####5. Forwarding across interfaces By default, pf does not forward between interfaces. Here's a snippet from man for pfctl with help from 2sidedfigure:

The packet filter does not itself forward packets between interfaces.  Forwarding can be enabled by setting the sysctl(8) variables net.inet.ip.forwarding and/or net.inet6.ip6.forwarding to 1.  Set them permanently in sysctl.conf(5).

We'll need to enable this by adding to /etc/sysctl.conf:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Caution

There is the possibility that pf.conf will be overriden with updates to the OS. It might be best to create your own pf config file and load them in additon to the main pf.conf to prevent this.

@ssaadh
Copy link

ssaadh commented Aug 15, 2017

Would be nice to show how to do this temporarily as well. something like:

echo "
rdr pass on lo0 inet proto tcp from any to 127.0.0.2 port 80 -> 127.0.0.1 port 40070
" | sudo pfctl -ef -

not exactly sure what the code would be like. But something like that. it won't persist a restart, but i don't want mine to.

@dlo
Copy link

dlo commented May 23, 2018

@inoicouldalwaysturn2u - what you have is close to what works for me (on macOS 10.13.4):

echo "rdr pass inet proto tcp from any to any port 80 -> 127.0.0.1 port 8000" | sudo pfctl -ef -

@kourindouhime
Copy link

@dlo thank you, this is the best answer on the internet. Works on Sierra.

@sergeyzwezdin
Copy link

@ctgreybeard @dandriana @snimavat the same problem for me - worked with local IP, but unable to route to external IP. Have you managed to solve the problem guys?

@jbis9051
Copy link

@sergeyzwezdin any progress?

@sergeyzwezdin
Copy link

@jbis9051
Copy link

jbis9051 commented Jun 25, 2019

@sergeyzwezdin Ok. Thanks. I will use that as a last resort, still going to look for a pf solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment