Using pfctl on Mac OS 10.11 (El Capitan) to forward ports
This only applies to OSX 10.11 - El Capitan - Public Beta 1
x-post from: https://superuser.com/questions/938999/osx-10-11-el-capitan-beta-pf-conf-behaviour-changed/943981#943981
In the latest 10.11 beta, 127.0.0.1 is blocked. The solution? Use 127.0.0.2. To do this:
First add 127.0.0.2 to the loopback alias
sudo ifconfig lo0 alias 127.0.0.2 up
Modify your pf rule to use the the new alias.
rdr pass proto tcp from any to any port 80 -> 127.0.0.2 port 8080
From the command line, without using a file:
echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | pfctl -Ef -
<-- Be sure to add this last tick, you're piping in STDIN)
Dafen
I am a computer science at the The University of Münster, Germany. I love web development and web design and are always trying to find new awesome stuff.
Updated on July 22, 2022Comments
-
Dafen almost 2 years
I am currently testing if my developing environment will run on the new upcoming Mac OS 10.11 and if I can upgrade as soon as it's released. On my test machine I am currently running the Beta Preview 3. Everything seems to be running fine.
I just can get
pfctl
to forward my ports. I use Vagrant and Parallels Desktop to run a Debian system for my local web server. Vagrant forwards port 8080 on the host to 80 on the guest. So127.0.0.1:8080
works fine. But in some projects I want to have the exact same domain local as it will be in production. (without the :8080) Also I just like it more. ;-)To do that I use
pfctl
to forward 80 to 8080 on the host. Here are my config files:~/port-forwarding/pf.conf
rdr-anchor "forwarding" load anchor "forwarding" from "/Users/nick/port-forwarding/rules.conf"
~/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 4433
To enable it, I run:
sudo pfctl -vnf ~/port-forwarding/pf.conf sudo pfctl -evf ~/port-forwarding/pf.conf
This gives me this:
pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. rdr-anchor "forwarding" all Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080 rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433 pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled rdr-anchor "forwarding" all Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080 rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433 pf enabled logout Saving session...completed.
sudo pfctl -s nat says:
No ALTQ support in kernel ALTQ related functions disabled rdr-anchor "forwarding" all
So far it looks good, I think. But it just does not work.
127.0.0.1:80
- no connection127.0.0.1:8080
- worksI use the same files on Yosemite and it works fine there.
Does anyone know if there's been a change on how to use
pfctl
or if I am doing something wrong or if there's a bug which can be reported.Thanks a lot
Nick
-
Thibault Martin almost 9 yearsSomeone asked about it on superuser and this comment in particular might help if you are willing to change the ports you are forwarding to. You may want to follow the post anyway, as it belongs there more than on stackoverflow.
-
-
Dafen almost 9 yearsI just upgrades to 10.11 Beta 4 and it seems to be working as it did before.
-
Irimia over 8 yearsmake sure you use sudo:
echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | sudo pfctl -Ef -
-
bluebinary almost 8 yearsJust as a note for others looking, 127.0.0.1 does not appear to be blocked within the public release versions of El Capitan, for example on OS X 10.11.5. I have been able to successfully setup
pf
-based local loopback forwarding against 127.0.0.1 on El Capitan.