7

I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf.

This is the intended path of travel:

Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900

The following is the rule I intend to use (maybe its wrong):

rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900

Problem 1

When I add the rule to /etc/pf.conf directly and run sudo pfctl -f /etc/pf.conf I get: 

$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

My config file is below:

#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900

Problem 2

If I use an anchor with the same rule above, I get no error. However, the port is still closed and I get connection refused when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but

  1. I don't want anything to be listening, just forward the traffic to the other computer
  2. Even if nc is listening I still get refused from external and from internal (localhost) it doesn't forward
JBis
  • 211
  • 2
  • 9
  • The syntax is wrong. The example in the `pf.conf` manual has `rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd`. Note: No `pass`. – Kusalananda Mar 11 '19 at 19:53
  • @Kusalananda Just tried. Makes no difference. – JBis Mar 11 '19 at 23:04
  • Also, try putting the `rdr` line before the `com.apple` comment. `rdr` lines belong to the "translation" set of rules. – Kusalananda Mar 11 '19 at 23:09
  • @Kusalananda I just tested. If I use a custom anchor it seems to works as is... – JBis Mar 11 '19 at 23:10
  • @Kusalananda Same error with `rdr` prepended to the comment – JBis Mar 11 '19 at 23:11
  • Same, with a syntax error? What does the `rdr` line look like now? – Kusalananda Mar 11 '19 at 23:12
  • @Kusalananda See edit – JBis Mar 11 '19 at 23:17
  • Oh, I meant, put your `rdr` rule above the comment, following the same syntax/pattern as the example that I quoted from the `pf.conf` manual. Unfortunately I don't know enough about `pf` anchors to say anything about them, and if this does not work, we'll have to wait for some other wizard to come by. – Kusalananda Mar 11 '19 at 23:21
  • @Kusalananda Will try. Also take a look at chat, – JBis Mar 11 '19 at 23:26

1 Answers1

6

As the error message states, you need to add your rdr rule next to the other translation rules on pf.conf. Since there is already a rdr anchor present, the best bet is to put your rdr rule right after it:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

(from any to any is implied if omitted, so I removed it for readability)

The rdr rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need a pass rule (i.e. a filtering rule) to tell pf they are allowed to come in, but it is enough to add pass to the rdr rule, hence rdr pass.

Note that for the packet to be forwarded, you need to enable it with sysctl or set it permanently in sysctl.conf (see man pfctl):

$ sudo sysctl net.inet.ip.forwarding=1
Zé Loff
  • 1,627
  • 8
  • 20