# [Closed - not FreeBSD] pf redirect not working



## stexx (Aug 28, 2014)

Hello everyone,

I would like to configure PF on my MacBook to redirect all outgoing HTTP traffic to my local web development proxy. Now I've been fiddling for about four hours with this (IMHO simple) scenario but can't get it running (so I'm slowly freaking out  :x ).

Could you maybe tell me where my mistake is? Unfortunately I don't have much experience with PF yet (so it's probably just a stupid error). It seems like the rdr directive is simply ignored by PF (in the log all outgoing HTTP traffic is blocked by the block rule).

Here is the content of my pf.conf:

```
set block-policy return
set loginterface pflog0
set skip on lo0

WlanIf="en1"

#activate redirect to localhost
rdr pass log on $WlanIf inet proto tcp from any to any port 80 -> lo0 port 80

#set default action to block
block return log on $WlanIf

#allow http connections to localhost
pass log on $WlanIf inet proto tcp from any to lo0 port 80
pass log on $WlanIf inet proto tcp from lo0 to any port 80
```

Here the output of `ifconfig` for en1 and lo0:

```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=1<PERFORMNUD>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether XX:XX:XX:XX:XX:XX 
	inet6 fe80::225:ff:feXX:XXXX%en1 prefixlen 64 scopeid 0x5 
	inet 192.168.1.105 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=1<PERFORMNUD>
	media: autoselect
	status: active
```

For testing purposes I started a netcat listener on port 80 in order to test the setup: `sudo nc -vvvv -l 0.0.0.0 80`

When I now try to access an internet IP, the rdr directive simply is ignored

```
$ nc -vvv 1.2.3.4 80
nc: connectx to 1.2.3.4 port 80 (tcp) failed: Connection refused
```

The corresponding pflog output:

```
$ sudo tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:00.000000 rule 0/0(match): block out on en1: 192.168.1.105.50666 > 1.2.3.4.80: Flags [S], seq 4148009100, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 136696737 ecr 0,sackOK,eol], length 0
```

Another strange thing is, that when I explicitly try to access my own IP (192.168.1.105), the rdr works (but fails in another stage): `nc -vvv 192.168.1.105 80`

pflog output:

```
$ sudo tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:01.375828 rule 0/0(match): rdr in on en1: 192.168.1.105.50692 > 127.0.0.1.80: Flags [S], seq 223882366, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 136836828 ecr 0,sackOK,eol], length 0
00:00:00.000027 rule 0/0(match): block in on en1: 127.0.0.1.80 > 192.168.1.105.50692: Flags [R.], seq 0, ack 223882367, win 0, length 0
00:00:01.005844 rule 0/0(match): block in on en1: 127.0.0.1.80 > 192.168.1.105.50692: Flags [R.], seq 0, ack 1, win 0, length 0
00:00:01.006804 rule 0/0(match): block in on en1: 127.0.0.1.80 > 192.168.1.105.50692: Flags [R.], seq 0, ack 1, win 0, length 0
```

It would be great if you could give me some hints
Thanks in advance!


----------



## SirDice (Aug 28, 2014)

*Re: pf redirect not working*

Please read the rules, specifically rule #11.

viewtopic.php?f=49&t=38922

Thread closed.


----------

