# RDR not working



## ChickenLittle (May 2, 2013)

Hi all,

I'm new to pf - transitioning over from iptables.

Confession: I'm not using FreeBSD (using OS X 10.7), but I _am_ using a similar version of pf.

I have these configurations:

pf.conf

```
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here.
#
# See pf.conf(5) for syntax.
#


# Build the orderings

scrub-anchor "com.mycompany.external"
scrub-anchor "com.apple/*"
scrub-anchor "com.mycompany.internal"


nat-anchor "com.mycompany.external"
nat-anchor "com.apple/*"
nat-anchor "com.mycompany.internal"


rdr-anchor "com.mycompany.external"
rdr-anchor "com.apple/*"
rdr-anchor "com.mycompany.internal"


dummynet-anchor "com.mycompany.external"
dummynet-anchor "com.apple/*"
dummynet-anchor "com.mycompany.internal"



# Add our external anchor

anchor "com.mycompany.external"



# Add Apple's anchor (and load it)

anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"



# Add our internal anchor

anchor "com.mycompany.internal"
```

internal (loaded in via command prompt. Trust me: this is working)

```
# 0) Definitions

lanIF   =   "en0"
wanIF   =   "en4"

lanIPs  =   "10.0.0.0/16"





########## Filtering ##########


# Loopback

set skip on lo0



# We trust our LAN

pass in on $lanIF 
pass out on $lanIF
```


external (loaded same as internal)

```
# 0) Definitions

lanIF   =   "en0"
wanIF   =   "en4"

lanIPs  =   "10.0.0.0/16"






########## Scrub ##########

scrub in on $wanIF




########## Routes ##########


# Port forwarding

rdr pass  on $wanIF  proto tcp  from any  to any  port 80 -> 10.0.0.2 port 80
rdr pass  on $wanIF  proto tcp  from any  to any  port 443 -> 10.0.0.2 port 443

#rdr  on $wanIF  proto tcp  from any  to any  port any -> 10.0.0.9


# Enable router

nat  on $wanIF  from $lanIPs -> $wanIF




########## Filtering ##########


# Allow egress on WAN anytime

pass out quick on $wanIF


# Allow pings

pass in quick inet proto icmp all icmp-type echoreq


# Default: block everything
# (note: established connections don't go through these rules)

block drop in quick on $wanIF
```

The problem I'm having is that outside people can't connect to my HTTP/HTTPS server. (Granted, my ISP blocks HTTP, but HTTPS worked with iptables so I know it works).

Can anybody tell me what I'm doing wrong?


----------



## SirDice (May 2, 2013)

ChickenLittle said:
			
		

> Confession: I'm not using FreeBSD (using OS X 10.7), but I AM using a similar version of pf.


Please use an OS-X forum for your questions. There's no telling what exactly the implementation differences are.

Here's a good one: http://hintsforums.macworld.com/

Thread closed.


----------

