I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf
.
This is the intended path of travel:
Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900
The following is the rule I intend to use (maybe its wrong):
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 1
When I add the rule to /etc/pf.conf
directly and run sudo pfctl -f /etc/pf.conf
I get:
$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
My config file is below:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 2
If I use an anchor
with the same rule above, I get no error. However, the port is still closed and I get connection refused
when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but
- I don't want anything to be listening, just forward the traffic to the other computer
- Even if
nc
is listening I still get refused from external and from internal (localhost) it doesn't forward
Best Answer
As the error message states, you need to add your
rdr
rule next to the other translation rules onpf.conf
. Since there is already ardr
anchor present, the best bet is to put yourrdr
rule right after it:(
from any to any
is implied if omitted, so I removed it for readability)The
rdr
rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need apass
rule (i.e. a filtering rule) to tellpf
they are allowed to come in, but it is enough to addpass
to therdr
rule, hencerdr pass
.Note that for the packet to be forwarded, you need to enable it with
sysctl
or set it permanently insysctl.conf
(seeman pfctl
):