Using pfctl on Mac OS 10.11 (El Capitan) to forward ports

I am currently testing if my developing environment will run on the new upcoming Mac OS 10.11 and if I can upgrade as soon as it's released. On my test machine I am currently running the Beta Preview 3. Everything seems to be running fine.

I just can get pfctl to forward my ports. I use Vagrant and Parallels Desktop to run a Debian system for my local web server. Vagrant forwards port 8080 on the host to 80 on the guest. So 127.0.0.1:8080 works fine. But in some projects I want to have the exact same domain local as it will be in production. (without the :8080) Also I just like it more. ;-)

To do that I use pfctl to forward 80 to 8080 on the host. Here are my config files:

~/port-forwarding/pf.conf

rdr-anchor "forwarding"
load anchor "forwarding" from "/Users/nick/port-forwarding/rules.conf"

~/port-forwarding/rules.conf

rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 
rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 4433 

To enable it, I run:

sudo pfctl -vnf ~/port-forwarding/pf.conf
sudo pfctl -evf ~/port-forwarding/pf.conf

This gives me this:

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

rdr-anchor "forwarding" all

Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
rdr-anchor "forwarding" all

Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433
pf enabled
logout
Saving session...completed.

sudo pfctl -s nat says:

No ALTQ support in kernel
ALTQ related functions disabled
rdr-anchor "forwarding" all

So far it looks good, I think. But it just does not work.

127.0.0.1:80 - no connection 127.0.0.1:8080 - works

I use the same files on Yosemite and it works fine there.

Does anyone know if there's been a change on how to use pfctl or if I am doing something wrong or if there's a bug which can be reported.

Thanks a lot

Nick

I just upgrades to 10.11 Beta 4 and it seems to be working as it did before.

make sure you use sudo: echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | sudo pfctl -Ef -

Just as a note for others looking, 127.0.0.1 does not appear to be blocked within the public release versions of El Capitan, for example on OS X 10.11.5. I have been able to successfully setup pf-based local loopback forwarding against 127.0.0.1 on El Capitan.