# Port forwarding on localhost?



## sgeos (Sep 21, 2015)

My goal is to forward all traffic from port 80 to a web server listening on localhost:8080.  My ipfw(8) setup is as follows.

/etc/rc.conf

```
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_script="/etc/ipfw.rules"
firewall_myservices="ssh/tcp http/tcp https/tcp"
firewall_allowservices="any"
firewall_logdeny="YES"
```
/etc/ipfw.rules

```
#!/bin/sh
cmd="ipfw -q add"
$cmd 1000 fwd localhost,80 tcp from any to me 8080
```
This almost works.  I get valid responses when I access port 80 from another machine.  Naturally attempting to access port 8080 from the outside fails.

Running `curl localhost` on the machine the web server is running on fails (curl: (7) Failed to connect to localhost port 80: Connection refused).  Running `curl localhost:8080` succeeds.  How can I forward requests from localhost:80 to localhost:8080?


----------



## sgeos (Sep 21, 2015)

I am convinced the above setup is broken.  Nevertheless I can get ipfw(8) to redirect external port 80 connections to 127.0.0.1:8080.  The best I can do locally is `curl localhost:8080`.  Depending on the settings all local curl(1) attempts fail.

I am having the same problem with pf(4).  Is port forwarding on localhost non-trivial or am I missing something?


----------



## SirDice (Sep 21, 2015)

Not sure about ipfw(8) but for pf(4) packets must travel through an interface. Traffic from localhost to localhost doesn't traverse an interface and therefor cannot be redirected. 

Why don't you simply have the webserver listen on both 80 and 8080 ports?


----------



## wblock@ (Sep 21, 2015)

It makes no sense to set firewall_type and then declare your own firewall script.  firewall_type is for selecting from the predefined firewalls.


----------



## sgeos (Sep 21, 2015)

SirDice said:


> Not sure about ipfw(8) but for pf(4) packets must travel through an interface. Traffic from localhost to localhost doesn't traverse an interface and therefor cannot be redirected.



Being able to `curl localhost/endpoint` is ultimately a development convenience at this point.  If the reality is `curl localhost:8080/endpoint`, I have been dealing with that and can continue to do so.



SirDice said:


> Why don't you simply have the webserver listen on both 80 and 8080 ports?


The goal is to listen on port 80.  Getting there via 8080 is an implementation detail.

I am running a custom webapp server as an unprivileged user with daemon(8).  So far as I can tell, I would need to run daemon(8) as root to listen on port 80.  This is a bad idea.  If there is a workaround, I would love to hear it.  Alternatively, is using something like www/nginx as a reverse proxy the correct tool for this job?



wblock@ said:


> It makes no sense to set firewall_type and then declare your own firewall script.  firewall_type is for selecting from the predefined firewalls.


Yes, the setup in my original post is broken.  I was hoping to extend the predefined firewall in firewall_type with additional rules from firewall_script.  Presumably there is a correct way to do this.


----------

