PF not forwarding incoming traffic on loopback from one port to another

Scenario

I have a server listening on port 3000 on localhost. I want incoming traffic to localhost:8080 to be forwarded to that server.

My set up:

  1. Server listens on port 3000; nothing listens on port 8080
  2. pfctl: rdr pass log on lo0 proto tcp from any to any port 8080 -> 127.0.0.1 port 3000
  3. watch all incoming connections to port 8080 on lo0 interface: sudo tcpdump -nn -i lo0 dst port 8080 -v

Test

curl localhost:8080

Expected

  1. server on port 3000 gets request from curl
  2. tcpdump returns smth like: 127.0.0.1.57330 > 127.0.0.1.3000 < more-info >

Reality

  1. curl gets curl: (7) Failed to connect to localhost port 8080: Connection refuse
  2. tcpdump returns 127.0.0.1.57330 > 127.0.0.1.8080 < more-info >

=> tcpdump output means that the rule was not applied since the destination port is still 8080 and not 3000.

Question

Where did my configuration went wrong and how to make it right?


Solution 1:

First of all, it's not pfctl (who forwards), but rather PF instead. pfctl is just a controlling utility (hence "ctl").

Now to debugging. You gave none of that info so that all is based on my own expertise and assumptions, read "guesses".

pfctl -si should show you if PF is actually enabled. Yes, rules can be loaded into it, but being disabled it won't process traffic.

pfctl -vsn should show if your NAT rules are getting any hits or they aren't.

And if you have some other PF rules applied you'd better be sure there's no set skip on lo0.