Use PF for port forwarding and firewall configuration under Mac (Linux-like iptables)

On Mac There is no iptables these, the alternative software is PF, the command is Pfctl. In earlier versions with IPFW (<=10.10), the latter was changed to PF. Some can use OpenBSD, but this is not very useful.

Online about PFCTL parameter estimation is not very full, we recommend to use the man pfctl to see.

Here are some uses of the collection:

To do port forwarding with PF:

First we need to turn on the port forwarding function of the system.

This boot takes effect:

sudo sysctl-w net.inet.ip.forwarding=101sudo sysctl-w net.inet6.ip6.forwarding=101

To start the boot configuration, add or modify the file as root /etc/sysctl.conf , adding the following two lines:

net.inet.ip.forwarding=1net.inet6.ip6.forwarding=1

To view the status of the current port forwarding feature:

sudo grep  00

After you turn on port forwarding, you can configure port forwarding rules. You can follow the manual to:

Mans man pf.conf

or create a new file manually following the following. If the contents of the /etc/pf.anchors/http document are as follows:

RDR Pass on Lo0 inet Proto TCP from all to any port the-127.0.0.1Port8080RDR Pass on Lo0 inet Proto TCP from all to any port443-127.0.0.1Port4443RDR Pass on En0 inet Proto TCP from all to any port the-127.0.0.1Port8080RDR Pass on En0 inet Proto TCP from all to any port443-127.0.0.1Port4443

Check its correctness:

sudo pfctl-vnf/etc/pf.anchors/http

Modify the PF main profile to /etc/pf.conf open the anchor point we added http .

Pf.conf The order of orders have strict requirements, the same instructions need to be put together, otherwise it will error Rules must is in order:options, normalization, queueing, translation, filtering.

" com.apple/* " Add RDR under " http-forwarding "  "com.apple" "/etc/pf.anchors/com.apple "  "http-forwarding" "/etc/pf.anchors/http" 

Last import and allow to run:

sudo pfctl-ef/etc/pf.conf

Use the -e command to enable the PF service. To -E force a restart PF service with a command:

sudo pfctl-e

To -d close the PF using a command:

sudo pfctl-d

From Mavericks PF Service no longer defaults to boot. If you need to start the PF service, please look down.

The new Mac OS 10.11 EI Captian joins the system integrity protection mechanism and needs to reboot into Safe mode to perform the following command to turn off file system protection.

$ csrutil Enable--without FS

You can then modify the /System/Library/LaunchDaemons/com.apple.pfctl.plist file to implement the boot-enabled configuration.

Add a row to the Plist file -e as follows:

<string>Pfctl</string><string>-E</string><string>-F</string><string>/etc/pf.conf</string>

Reference:

https://www.v2ex.com/t/191810

Http://man.linuxde.net/pfctl

Http://www.jianshu.com/p/6052831a8e91 (The above sections are transferred from this article)

http://www.jianshu.com/p/427337c95a4a

Use PF for port forwarding and firewall configuration under Mac (Linux-like iptables)