How to setup simple port forwarding on macOS with pf? “Rules must be in order: options, normalization, queueing, translation, filtering”

by

I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf.

This is the intended path of travel:

Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900

The following is the rule I intend to use (maybe its wrong):

rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900

Problem 1

When I add the rule to /etc/pf.conf directly and run sudo pfctl -f /etc/pf.conf I get: 

$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

My config file is below:

#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900

Problem 2

If I use an anchor with the same rule above, I get no error. However, the port is still closed and I get connection refused when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but

  1. I don’t want anything to be listening, just forward the traffic to the other computer
  2. Even if nc is listening I still get refused from external and from internal (localhost) it doesn’t forward

Answer

As the error message states, you need to add your rdr rule next to the other translation rules on pf.conf. Since there is already a rdr anchor present, the best bet is to put your rdr rule right after it:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

(from any to any is implied if omitted, so I removed it for readability)

The rdr rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You’d normally need a pass rule (i.e. a filtering rule) to tell pf they are allowed to come in, but it is enough to add pass to the rdr rule, hence rdr pass.

Note that for the packet to be forwarded, you need to enable it with sysctl or set it permanently in sysctl.conf (see man pfctl):

$ sudo sysctl net.inet.ip.forwarding=1

Attribution
Source : Link , Question Author : JBis , Answer Author : Zé Loff

Leave a Comment