Using pfctl on Mac OS 10.11 (El Capitan) to forward ports
I am currently testing if my developing environment will run on the new upcoming Mac OS 10.11 and if I can upgrade as soon as it's released. On my test machine I am currently running the Beta Preview 3. Everything seems to be running fine.
I just can get pfctl to forward my ports. I use Vagrant and Parallels Desktop to run a Debian system for my local web server. Vagrant forwards port 8080 on the host to 80 on the guest. So 127.0.0.1:8080 works fine. But in some projects I want to have the exact same domain local as it will be in production. (without the :8080) Also I just like it more. ;-)
To do that I use pfctl to forward 80 to 8080 on the host. Here are my config files:
~/port-forwarding/pf.conf
rdr-anchor "forwarding"
load anchor "forwarding" from "/Users/nick/port-forwarding/rules.conf"
~/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 4433
To enable it, I run:
sudo pfctl -vnf ~/port-forwarding/pf.conf
sudo pfctl -evf ~/port-forwarding/pf.conf
This gives me this:
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
rdr-anchor "forwarding" all
Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
rdr-anchor "forwarding" all
Loading anchor forwarding from /Users/nick/port-forwarding/rules.conf
rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 4433
pf enabled
logout
Saving session...completed.
sudo pfctl -s nat says:
No ALTQ support in kernel
ALTQ related functions disabled
rdr-anchor "forwarding" all
So far it looks good, I think. But it just does not work.
127.0.0.1:80 - no connection
127.0.0.1:8080 - works
I use the same files on Yosemite and it works fine there.
Does anyone know if there's been a change on how to use pfctl or if I am doing something wrong or if there's a bug which can be reported.
Thanks a lot
Nick
Answer
This only applies to OSX 10.11 - El Capitan - Public Beta 1
x-post from: https://superuser.com/questions/938999/osx-10-11-el-capitan-beta-pf-conf-behaviour-changed/943981#943981
In the latest 10.11 beta, 127.0.0.1 is blocked. The solution? Use 127.0.0.2. To do this:
First add 127.0.0.2 to the loopback alias
sudo ifconfig lo0 alias 127.0.0.2 up
Modify your pf rule to use the the new alias.
rdr pass proto tcp from any to any port 80 -> 127.0.0.2 port 8080
From the command line, without using a file:
echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | pfctl -Ef - <-- Be sure to add this last tick, you're piping in STDIN)