6

I kind of expected things to break, but ...

My pf forwarding rules, which worked previously on Yosemite, no longer work on 10.11.

My forwarding rule is as follows: rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080

I can access the content by going to localhost:8080, but not just localhost, which is expect (and previous) behaviour.

Did they mention somewhere changes to the pf utility? What do I have to do to make this work?

Tyler Sebastian
  • 182
  • 2
  • 6
  • Are you piping the pf rule to `pfctl`? If so, can you update your question to include this example. – Cory Jul 14 '15 at 21:16
  • I encountered the same problem after upgrading to 10.11. I followed [this advice](https://echo.co/blog/os-x-1010-yosemite-local-development-environment-apache-php-and-mysql-homebrew) to forward port 80 requests to 8080 with the following: `echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.1 port 8080" | pfctl -a "com.apple/260.HttpFwdFirewall" -Ef` – Spencer Williams Jul 17 '15 at 18:15
  • I have the same problem... But I can't get it to work. Did you just paste this command in the terminal? I get this error: `pfctl: option requires an argument -- f` http://stackoverflow.com/questions/31517368/using-pfctl-on-mac-os-10-11-el-capitan-to-forward-ports?noredirect=1#comment51030050_31517368 – Dafen Jul 21 '15 at 14:51
  • @Dafen the -f command requires a file. I think, if you drop that argument, the error will go away. – Tyler Sebastian Jul 21 '15 at 18:21
  • ^ following the above, @williamcwilliams command does not work for me. – Tyler Sebastian Jul 21 '15 at 18:22
  • I upgraded to the Beta Preview 4 and it works again. Same file as on Yosemite. I posted my config here: http://stackoverflow.com/questions/31517368/using-pfctl-on-mac-os-10-11-el-capitan-to-forward-ports/31570667#31570667 – Dafen Jul 23 '15 at 07:41

1 Answers1

1

This only applies to OSX 10.11 - El Capitan - Public Beta 1

In the latest 10.11 beta, 127.0.0.1 is blocked. The solution? Use 127.0.0.2. To do this:

First add 127.0.0.2 to the loopback alias sudo ifconfig lo0 alias 127.0.0.2 up

Modify your pf rule to use the the new alias. rdr pass proto tcp from any to any port 80 -> 127.0.0.2 port 8080

For @williamcwilliams (in comments above), just drop the anchor and it'll work.

echo "rdr pass proto tcp from any to any port {80,8080} -> 127.0.0.2 port 8080" | pfctl -Ef - <-- Be sure to add this last tick, you're piping in STDIN)

Cory
  • 111
  • 3