I have a question regarding /etc/pf.conf.
If I use this rule,
rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080
all other traffic on bridge100 will not function properly, even the traffic that is not destined for 192.168.2.104.
Additionally, the hotspot generated through bridge100 will also become unavailable.
Even if I comment out this rule and run sudo pfctl -e -f /etc/pf.conf, the problem still persists. The situation will only return to normal when I restart my Mac. my macos:15.3.2
my /etc/pf.conf
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
I don’t have any answers for you here, but I wanted to explain why that’s the case:
-
DevForums is primarily focus on helping developers with the APIs in our platform SDKs.
-
Packet Filter is not considered an API [1]. Rather, it’s an implementation detail of various macOS networking systems.
If you’re asking about this because you plan to ship a product based on PF, please don’t do that. There are better options, and I’m happy to help you adopt them.
If you’re doing this on your own Mac, or Macs you manage, then I recommend that you bounce on over to Apple Support Community, run by Apple Support, and specifically in the Business and Education topic area, where you’re more likely to find folks with experience with this tool.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] And we now say as much, in TN3165 Packet Filter is not API.