Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Vagrant Port Forwarding on OS X Yosemite

Vagrant Port Forwarding (8080 -> 80, 8443 -> 443) with pf on OSX Mavericks/Yosemite

This guide is a fork from this gist.

Since Mavericks stopped using the deprecated ipfw (as of Mountain Lion), we'll be using pf to allow port forwarding.

1. Create the anchor file

Create an anchor file under /etc/pf.anchors/com.vagrant with your redirection rule like:

rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr pass on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443
rdr pass on en0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr pass on en0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 8443

note the trailing whitespace is important

The lo0 entries are for local requests, and the en0 entries are for external requests (like if you're testing from another computer or mobile device on the network).

2. Test the anchor file

Parse and test your anchor file to make sure there are no errors:

sudo pfctl -vnf /etc/pf.anchors/com.vagrant

3. Reference the anchor in pf.conf

/etc/pf.conf is the main configuration file that pf loads at boot. We'll need to load the anchor file we previously created:

rdr-anchor "com.vagrant"
load anchor "com.vagrant" from "/etc/pf.anchors/com.vagrant"

Make sure to add these entries to the appropriate spot, like:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr-anchor "com.vagrant" # Port forwarding for Vagrant
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "com.vagrant" from "/etc/pf.anchors/com.vagrant" # Port forwarding for Vagrant

4. Load and enabling pf

pf is enabled by default in Yosemite, so if the above doesn't work, reload pf by running the following:

sudo pfctl -ef /etc/pf.conf

Caution

There is the possibility that pf.conf will be overriden with updates to the OS. It might be best to create your own pf config file and load them in additon to the main pf.conf to prevent this.

okeegan commented Jan 12, 2016

I noticed that to pass the syntax check on pf.conf I had to leave trailing whitespace (as in /etc/pf.anchors/com.vagrant) at the end, eg:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr-anchor "com.vagrant"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "com.vagrant" from "/etc/pf.anchors/com.vagrant"

Might be worth adding to the guide?

Doesnt work for redirecting to a different ip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment