Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: intercept en0 traffic and redirect.

What i'm trying to achieve is that I would like to capture all the data that is coming from 10.0.1.144 and send send it to 10.0.1.120:5571 and also let it pass on the nat/router


Mac ox 10.13.3 Server is the router (10.0.1.1)


so .144 is sending all sort of stuff to the web and want to let it continue but would like to have a copy sent also t0 .120


with ip tables it would be something like this:


iptables -t mangle -A PREROUTING -s 10.0.1.144 -j ROUTE --tee --gw 10.0.1.120

iptables -t mangle -A POSTROUTING -d 10.0.1.144 -j ROUTE --tee --gw 10.0.1.120


so what would be the equivalent in pf

Mac Pro, macOS High Sierra (10.13.4), server

Posted on

Reply

Page content loaded

Apr 23, 2018 3:43 AM in response to lorinfrombrossard In response to lorinfrombrossard

I think you mean pfctl. In OS X "man pfctl" should get you the manual. You'll see some examples given which may lead you further? There's also a nice pfctl tutorial freely available here:


https://home.nuug.no/~peter/pf/en/long-firewall.html


It's been a while since I used pfctl (not in the same way your planning) so I can't really offer anything beyond the above. You could cross-post in the Technologies forum and see if someone there can help? Beyond these forums there's IceFloor and possibly Murus which are apps that provide an interface for pfctl:


http://www.hanynet.com/icefloor/


Neither of which I've used but some have mentioned them on these forums and judging from what I've read they may also fit the bill?

Apr 23, 2018 3:43 AM

Reply Helpful

Apr 23, 2018 1:18 PM in response to lorinfrombrossard In response to lorinfrombrossard

I usually use a mirrored port on the local managed switch, if I'm looking to capture traffic. (Managed switch prices have dropped substantially in recent years, too.) Pass that port into tcpdump or Wireshark for processing, and preferably on a host that's fast enough to log it all.


Or...


Probably close to what you want to do, though a slightly different approach than what you're trying:

https://www.openbsd.org/faq/pf/logging.html

https://pleiades.ucsc.edu/hyades/PF_on_Mac_OS_X

http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

Apr 23, 2018 1:18 PM

Reply Helpful

Apr 23, 2018 4:19 PM in response to lorinfrombrossard In response to lorinfrombrossard

OK i've made some progress in what i'm trying to achieve.....


sudo tcpdump -vvv -i en0 dst ec2-52-25-111-41.us-west-2.compute.amazonaws.com and port 80 > ~/Desktop/test


obviously writes the dump to a file that the destination is ec2-52-25-111-41.us-west-2.compute.amazonaws.com which is fine.


To verify the dump I send it to the host that I wish it would get it to with the following command...

nc 10.0.1.120 9999 < ~/Desktop/test

and it works all fine, the host receives and parse it.


now with that logic is assumed that this would have worked but it's not.

sudo tcpdump -vvv -i en0 dst ec2-52-25-111-41.us-west-2.compute.amazonaws.com and port 80 | nc -D -v 10.0.1.120 9999 &


Any clue what wrong and also would need this run as a demon after we figured it out 😉

Apr 23, 2018 4:19 PM

Reply Helpful

Apr 23, 2018 4:36 PM in response to lorinfrombrossard In response to lorinfrombrossard

Tee and log the teed traffic, or mirror the port and log that, or maybe find some TCP connection MITM and proxying tools somewhere. TCP doesn't provide for transparent interception, as the end-points expect to be chatting directly. If you're working with TLS via TCP, then mitmproxy might be interesting, though that'll need to have certificates established to work with that.

Apr 23, 2018 4:36 PM

Reply Helpful

Apr 24, 2018 8:30 PM in response to lorinfrombrossard In response to lorinfrombrossard

Figured out that it's a buffering issue, but haven't found a proper to bypass that....


also looking into an ngrep approach


ngrep -l -q -d en0 'ecfabc07ceb6' | tee /var/tmp/dump.txt | sed '/mac=/!d' | xargs -n 1 curl http://10.0.1.120:9999 -s -d


Will see where that goes!

Apr 24, 2018 8:30 PM

Reply Helpful
User profile for user: lorinfrombrossard

Question: intercept en0 traffic and redirect.