How to setup simple port forwarding on macOS with pf? “Rules must be in order: options, normalization, queueing, translation, filtering”
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf
.
This is the intended path of travel:
Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900
The following is the rule I intend to use (maybe its wrong):
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 1
When I add the rule to /etc/pf.conf
directly and run sudo pfctl -f /etc/pf.conf
I get:
$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
My config file is below:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 2
If I use an anchor
with the same rule above, I get no error. However, the port is still closed and I get connection refused
when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but
- I don't want anything to be listening, just forward the traffic to the other computer
- Even if
nc
is listening I still get refused from external and from internal (localhost) it doesn't forward
osx port-forwarding pf
|
show 4 more comments
I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf
.
This is the intended path of travel:
Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900
The following is the rule I intend to use (maybe its wrong):
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 1
When I add the rule to /etc/pf.conf
directly and run sudo pfctl -f /etc/pf.conf
I get:
$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
My config file is below:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 2
If I use an anchor
with the same rule above, I get no error. However, the port is still closed and I get connection refused
when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but
- I don't want anything to be listening, just forward the traffic to the other computer
- Even if
nc
is listening I still get refused from external and from internal (localhost) it doesn't forward
osx port-forwarding pf
The syntax is wrong. The example in thepf.conf
manual hasrdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
. Note: Nopass
.
– Kusalananda♦
Mar 11 at 19:53
@Kusalananda Just tried. Makes no difference.
– JBis
Mar 11 at 23:04
Also, try putting therdr
line before thecom.apple
comment.rdr
lines belong to the "translation" set of rules.
– Kusalananda♦
Mar 11 at 23:09
@Kusalananda I just tested. If I use a custom anchor it seems to works as is...
– JBis
Mar 11 at 23:10
@Kusalananda Same error withrdr
prepended to the comment
– JBis
Mar 11 at 23:11
|
show 4 more comments
I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf
.
This is the intended path of travel:
Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900
The following is the rule I intend to use (maybe its wrong):
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 1
When I add the rule to /etc/pf.conf
directly and run sudo pfctl -f /etc/pf.conf
I get:
$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
My config file is below:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 2
If I use an anchor
with the same rule above, I get no error. However, the port is still closed and I get connection refused
when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but
- I don't want anything to be listening, just forward the traffic to the other computer
- Even if
nc
is listening I still get refused from external and from internal (localhost) it doesn't forward
osx port-forwarding pf
I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf
.
This is the intended path of travel:
Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900
The following is the rule I intend to use (maybe its wrong):
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 1
When I add the rule to /etc/pf.conf
directly and run sudo pfctl -f /etc/pf.conf
I get:
$ sudo pfctl -f /etc/pf.conf
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:29: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
My config file is below:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
rdr pass inet proto tcp from any to any port 5800 -> 192.168.1.246 port 5900
Problem 2
If I use an anchor
with the same rule above, I get no error. However, the port is still closed and I get connection refused
when trying to connect. After doing some research, I found that one possibly is that there is nothing listing on port 5800, so it is refused but
- I don't want anything to be listening, just forward the traffic to the other computer
- Even if
nc
is listening I still get refused from external and from internal (localhost) it doesn't forward
osx port-forwarding pf
osx port-forwarding pf
edited Mar 12 at 0:02
JBis
asked Mar 11 at 19:27
JBisJBis
1416
1416
The syntax is wrong. The example in thepf.conf
manual hasrdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
. Note: Nopass
.
– Kusalananda♦
Mar 11 at 19:53
@Kusalananda Just tried. Makes no difference.
– JBis
Mar 11 at 23:04
Also, try putting therdr
line before thecom.apple
comment.rdr
lines belong to the "translation" set of rules.
– Kusalananda♦
Mar 11 at 23:09
@Kusalananda I just tested. If I use a custom anchor it seems to works as is...
– JBis
Mar 11 at 23:10
@Kusalananda Same error withrdr
prepended to the comment
– JBis
Mar 11 at 23:11
|
show 4 more comments
The syntax is wrong. The example in thepf.conf
manual hasrdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
. Note: Nopass
.
– Kusalananda♦
Mar 11 at 19:53
@Kusalananda Just tried. Makes no difference.
– JBis
Mar 11 at 23:04
Also, try putting therdr
line before thecom.apple
comment.rdr
lines belong to the "translation" set of rules.
– Kusalananda♦
Mar 11 at 23:09
@Kusalananda I just tested. If I use a custom anchor it seems to works as is...
– JBis
Mar 11 at 23:10
@Kusalananda Same error withrdr
prepended to the comment
– JBis
Mar 11 at 23:11
The syntax is wrong. The example in the
pf.conf
manual has rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
. Note: No pass
.– Kusalananda♦
Mar 11 at 19:53
The syntax is wrong. The example in the
pf.conf
manual has rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
. Note: No pass
.– Kusalananda♦
Mar 11 at 19:53
@Kusalananda Just tried. Makes no difference.
– JBis
Mar 11 at 23:04
@Kusalananda Just tried. Makes no difference.
– JBis
Mar 11 at 23:04
Also, try putting the
rdr
line before the com.apple
comment. rdr
lines belong to the "translation" set of rules.– Kusalananda♦
Mar 11 at 23:09
Also, try putting the
rdr
line before the com.apple
comment. rdr
lines belong to the "translation" set of rules.– Kusalananda♦
Mar 11 at 23:09
@Kusalananda I just tested. If I use a custom anchor it seems to works as is...
– JBis
Mar 11 at 23:10
@Kusalananda I just tested. If I use a custom anchor it seems to works as is...
– JBis
Mar 11 at 23:10
@Kusalananda Same error with
rdr
prepended to the comment– JBis
Mar 11 at 23:11
@Kusalananda Same error with
rdr
prepended to the comment– JBis
Mar 11 at 23:11
|
show 4 more comments
1 Answer
1
active
oldest
votes
As the error message states, you need to add your rdr
rule next to the other translation rules on pf.conf
. Since there is already a rdr
anchor present, the best bet is to put your rdr
rule right after it:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
(from any to any
is implied if omitted, so I removed it for readability)
The rdr
rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need a pass
rule (i.e. a filtering rule) to tell pf
they are allowed to come in, but it is enough to add pass
to the rdr
rule, hence rdr pass
.
Note that for the packet to be forwarded, you need to enable it with sysctl
or set it permanently in sysctl.conf
(see man pfctl
):
$ sudo sysctl net.inet.ip.forwarding=1
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505712%2fhow-to-setup-simple-port-forwarding-on-macos-with-pf-rules-must-be-in-order-o%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As the error message states, you need to add your rdr
rule next to the other translation rules on pf.conf
. Since there is already a rdr
anchor present, the best bet is to put your rdr
rule right after it:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
(from any to any
is implied if omitted, so I removed it for readability)
The rdr
rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need a pass
rule (i.e. a filtering rule) to tell pf
they are allowed to come in, but it is enough to add pass
to the rdr
rule, hence rdr pass
.
Note that for the packet to be forwarded, you need to enable it with sysctl
or set it permanently in sysctl.conf
(see man pfctl
):
$ sudo sysctl net.inet.ip.forwarding=1
add a comment |
As the error message states, you need to add your rdr
rule next to the other translation rules on pf.conf
. Since there is already a rdr
anchor present, the best bet is to put your rdr
rule right after it:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
(from any to any
is implied if omitted, so I removed it for readability)
The rdr
rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need a pass
rule (i.e. a filtering rule) to tell pf
they are allowed to come in, but it is enough to add pass
to the rdr
rule, hence rdr pass
.
Note that for the packet to be forwarded, you need to enable it with sysctl
or set it permanently in sysctl.conf
(see man pfctl
):
$ sudo sysctl net.inet.ip.forwarding=1
add a comment |
As the error message states, you need to add your rdr
rule next to the other translation rules on pf.conf
. Since there is already a rdr
anchor present, the best bet is to put your rdr
rule right after it:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
(from any to any
is implied if omitted, so I removed it for readability)
The rdr
rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need a pass
rule (i.e. a filtering rule) to tell pf
they are allowed to come in, but it is enough to add pass
to the rdr
rule, hence rdr pass
.
Note that for the packet to be forwarded, you need to enable it with sysctl
or set it permanently in sysctl.conf
(see man pfctl
):
$ sudo sysctl net.inet.ip.forwarding=1
As the error message states, you need to add your rdr
rule next to the other translation rules on pf.conf
. Since there is already a rdr
anchor present, the best bet is to put your rdr
rule right after it:
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp to port 5800 -> 192.168.1.246 port 5900
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
(from any to any
is implied if omitted, so I removed it for readability)
The rdr
rule only tells the packet filter what to do with the TCP packets that arrive on port 5800. You'd normally need a pass
rule (i.e. a filtering rule) to tell pf
they are allowed to come in, but it is enough to add pass
to the rdr
rule, hence rdr pass
.
Note that for the packet to be forwarded, you need to enable it with sysctl
or set it permanently in sysctl.conf
(see man pfctl
):
$ sudo sysctl net.inet.ip.forwarding=1
answered Mar 15 at 0:39
Zé LoffZé Loff
532210
532210
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505712%2fhow-to-setup-simple-port-forwarding-on-macos-with-pf-rules-must-be-in-order-o%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The syntax is wrong. The example in the
pf.conf
manual hasrdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
. Note: Nopass
.– Kusalananda♦
Mar 11 at 19:53
@Kusalananda Just tried. Makes no difference.
– JBis
Mar 11 at 23:04
Also, try putting the
rdr
line before thecom.apple
comment.rdr
lines belong to the "translation" set of rules.– Kusalananda♦
Mar 11 at 23:09
@Kusalananda I just tested. If I use a custom anchor it seems to works as is...
– JBis
Mar 11 at 23:10
@Kusalananda Same error with
rdr
prepended to the comment– JBis
Mar 11 at 23:11