Posted by 西维蜀黍 on 2024-05-06, Last Modified on 2024-05-07

PF (Packet Filter)

PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw, and ipfilter.

PF was developed for OpenBSD, but has been ported to many other operating systems.



# shows how it has interpreted the filtering rules in your config file, including substitutions and defaults
$ pfctl -s

# Shows the NAT rules
sudo pfctl -s nat (or pfctl -sn): 

# Shows all the things
sudo pfctl -s all (or pfctl -sa): 


View status

sudo pfctl -s info | grep Status

Enable pf if not already enabled: If pf is not already running, you can enable it with:

sudo pfctl -e

disable the PF firewall:

sudo pfctl -d

Edit Rules

  • The pf configuration files are located at /etc/pf.conf. You can edit this file to add or modify rules. After editing, you need to reload the configuration with: sudo pfctl -f /etc/pf.conf

Foward Ports

Forward A Local Port to A Local Port

for the packet to be forwarded, you need to enable it with sysctl or set it permanently in sysctl.conf (see man pfctl):

$ sudo sysctl net.inet.ip.forwarding=1

To make this change permanent, you can add the line net.inet.ip.forwarding=1 to /etc/sysctl.conf.

Create a pf rule: You need to write a rule in the pf configuration file that specifies which port to forward to another port. Below is an example of how you can forward traffic from port 80 to port 8080 on the local machine.

You can add the following line to your /etc/pf.conf file:

# Note that this rule has to be added after rdr-anchor "com.apple/*"
rdr pass on lo0 inet proto tcp from any to any port 80 -> port 8080
# not working below (my IP is
# rdr pass on en0 inet proto tcp from any to port 80 -> port 8000

# My /etc/pf.conf
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr pass inet proto tcp from any to any port 80 -> port 8000
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

This rule tells pf to redirect TCP traffic that is destined for port 80 on any interface to port 8080 on the localhost (

Load the pf configuration: After modifying the pf configuration file, you need to load the new rules. You can do this by running the following command:

sudo pfctl -f /etc/pf.conf

This command will load the configuration from /etc/pf.conf.

Enable pf if not already enabled: If pf is not already running, you can enable it with:

sudo pfctl -e


Forward A Local Port to An External Port

As a Jump Server For Another Server

# on
rdr pass on en0 inet proto tcp from any to port 3307 -> port 32001
nat on en0 inet proto tcp from any to port 32001 ->

# on
# i.e., access via on, i.e., is a jump server 
$ telnet 3307

# But, if on, telnet 3307 doesn't work, which is what I didn't figure out.

Not As a Jump Server

My scenarios is:

  1. The IP of is xx.rwlb.singapore.rds.aliyuncs.com
  2. My local development env is not able to directly access due to security concerns
  3. My DBA sets a jump server ( as a proxy to allow my local development env to indirectly access
  4. However, all middleware addresses are hard coded in my code repo, i.e.,
  5. I wanna not modify the code and am still able to connect to all middleware

Idea: map to on kernel level, so that connecting actually is forwarded to As a result, my code doesn’t need any

# on, I wanna forward the traffic reaching to
rdr pass on en0 inet proto tcp from to port 32111 -> port 3306
#nat on en0 inet proto tcp from to port 3306 ->

# But it doesn't work, which may because

     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     [b]Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.[/b]
     (from https://forums.freebsd.org/threads/redirect-all-traffic-from-ip-to-another.59364/)