Skip navigation

IP Forwarding with PF

426 Views 2 Replies Latest reply: Nov 19, 2012 3:49 PM by dan325 RSS
roguepacket Calculating status...
Currently Being Moderated
Sep 9, 2012 8:01 PM

Hello Everyone,

 

I am looking for a way to forward my web traffic to a proxy server elsewhere on my network, transparently. With previous versions of Mac OS, this was fairly easy to do with IPFW - the command below would do the trick.

 

fwd <proxy server ip>,<proxy port> ip from <my ip> to any dst-port 80

 

Unfortunately, this has changed now that PF is the primary firewall. While other functions - such as redirecting incoming traffic from port 80 to 8080 - still works with IPFW, I simply cannot IP forwarding in any sense. It's like the rules are completely skipped.

Has anyone in the community been able to do this? I have enabled IP Forwarding via Sysctl, and have built an anchor with rules to successfully redirect incoming traffic, but again have not been able to change the destination of outbound traffic.

  • Linc Davis Level 10 Level 10 (107,445 points)
    Currently Being Moderated
    Sep 10, 2012 11:38 AM (in response to roguepacket)

    The pf firewall doesn't forward packets. You would have to do it by means of natd. Please don't ask me for instructions -- I don't know. See the pfctl and natd man pages to get started.

  • dan325 Calculating status...
    Currently Being Moderated
    Nov 19, 2012 3:49 PM (in response to Linc Davis)

    I believe that's wrong, actually.  pf, for the uninitiated, comes from the OpenBSD project.  I run all of my company's firewalls with OpenBSD and pf handles my nat.  Now, I admittedly haven't tested out pf on my Mac, but according to the pf.conf man page on Apple's web site, their pf implementation does support nat.  I guess maybe natd is redundant...?  Don't know.

     

    pf takes a little getting used to, but it's the best firewall I've ever used.  It really is pretty awesome.  Hopefully in the future, Apple's pf will get a little closer to the version in OpenBSD.  Currently, Apple's is several years behind.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.