关于MAC OS X系统中pf的跨接口端口转发问题,请高手解决
本帖最后由 wind315 于 2014-4-3 21:10 编辑搜索了能搜到的中文论坛,没找到如何解决我的问题,特来询问,望高人解决下,谢谢!我目前运行的mountation lion 10.8.5,因为看到苹果不推荐使用老版的ipfw了,所以改用pf进行端口转发。我想实现在网卡en0到端口80的连接,全部转发到127.0.0.1的8080端口,我的步骤如下:
1. 已经设置/etc/sysctl.conf文件内容:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
用 sysctl -a |grep ip.fo 看到,确实已经设置为可以转发包了。
2. /etc/pf.conf 文件中配置了转发规则:
rdr pass on en0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
3. 随便访问一个网站,用命令:pfctl -s state
查不到任何端口转发的信息。
如果在第2步中,改为:rdr pass on lo0 proto tcp from any to 127.0.0.2 port 80 ->127.0.0.1 port 8080
则用第三步的命令能查到端口已经被转发到了127.0.0.1的8080端口。
请教为什么我不能踦接口转发端口?谢谢!
附上一段E文文章。我e文不行,也不能去国外论坛问,如若解决不了我这个问题,谁能翻译下我的需求,然后帖上来,我去请教老外也行,一并感谢!
https://gist.github.com/kujohn/7209628Port Forwarding in MavericksSince Mavericks stopped using the deprecated ipfw (as of Mountain Lion), we'll be using pf to allow port forwarding.1. anchor fileCreate an anchor file under /etc/pf.anchors/<anchor file> with your redirection rule like:rdr pass on lo0 inet proto tcp from any to 127.0.0.2 port 80 -> 127.0.0.1 port 400702. Test the anchor fileParse and test your anchor file to make sure there are no errors:sudo pfctl -vnf <anchor file>
3. Reference the anchor in pf.conf/etc/pf.conf is the main configuration file that pf loads at boot. We'll need to load the anchor file we previously created:rdr-anchor "forwarding"
load anchor "forwarding" from "/etc/pf.anchors/<anchor file>"Make sure to add these entries to the appropriate spot.4. Load and enabling pfpf is not enabled by default in Mavericks, few ways to enable this:
[*]Manually load and enable from a pf.conf file via sudo pfctl -ef <pf.conf file>
[*]Auto enable by creating a launch daemon via this doc to run pfctl -ef <pf.conf file> on boot.
[*]Auto enable by adding an -e(enable) to the pfctl ProgramArgument in /System/Library/LaunchDaemons/com.apple.pfctl.plist like this:
<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-e</string>
<string>-f</string>
<string>/etc/pf.conf</string>
</array>
5. Forwarding across interfacesBy default, pf does not forward between interfaces. Here's a snippet from man for pfctl with help from2sidedfigure:The packet filter does not itself forward packets between interfaces. Forwarding can be enabled by setting the sysctl(8) variables net.inet.ip.forwarding and/or net.inet6.ip6.forwarding to 1.Set them permanently in sysctl.conf(5).
We'll need to enable this by adding to /etc/sysctl.conf:net.inet.ip.forwarding=1net.inet6.ip6.forwarding=1CautionThere is the possibility that pf.conf will be overriden with updates to the OS. It might be best to create your own pf config file and load them in additon to the main pf.conf to prevent this.
自己顶一下 自己顶,还没解决,有人解决么?
页:
[1]