I'm running pf on OSX 13.6.1, and I wanted to create a rule so that all TCP packets outbound towards 146.59.110.108:1337 (example) will have to be redirected to 127.0.0.1:1337, except if it comes from 127.0.0.1:7331, which it should allow it to pass back over to 146.59.110.108:1337
I created these 2 rules in /etc/pf.anchors/pf.conf
# Redirects outbound traffic going to external server towards local proxy rdr on en0 inet proto tcp from any to 146.59.110.108 port 1337 -> 127.0.0.1 port 1337 # Allows the traffic already redirected through the proxy (and coming out now from another port) to reach the external server pass out on en0 inet proto tcp from 127.0.0.1 port 7331 to 146.59.110.108 port 1337 There are 2 problems:
- Transformation rules must be ordered in front of filtering rules. However, if everything originally destined for the external server is redirected over to localhost:1337, then it would cause an infinite loopback as the 2nd rule is not matched before the 1st?
- When running
pfctl -srto validate the rules, only the pass rule is shown but not the redirect rule.pass out on en0 inet proto tcp from 127.0.0.1 port = 7331 to 146.59.110.146 port = 1337 flags S/SA keep stateALTQ is also absent from the kernel, however I don't believe it affects the result.
Is it true that RDR only works with NAT and cannot redirect external-bound packets back to the local interface? And does anyone know how do I work around this for a fix?
