How do I enable IP-forwarding in MacOS X?

Posted in :


You’re doing two things there.

  1. Enabling IP forwarding. The OS X equivalent might be:
    sysctl -w net.inet.ip.forwarding=1

    …but since I don’t know exactly what you’re trying to do, this might be technically correct but unhelpful.

  2. Adding a largely unnecessary firewall rule. If you haven’t changed the default policy for your FORWARD chain (iptables -P FORWARD ...), then this rule does nothing.OS X uses the pf firewall tools. Try herePrior to 10.7 Lion, OS X used the ipfw firewall tools, which are well documented all over the net. Try here, or here


但是 OS X 10.12上沒有 iptables, ipfw, pf 指令,只有 pfctl指令。

Mac OS 的防火牆軟體在10.10已經將IPFW取消,改用OpenBSD的PF,有關PF的User guide 可參考:。

預設Mac OS X都會自動啟動PF,如果不讓PF於開機時啟動,可以執行下面的指令:

# rcctl disable pf



# pfctl -e

# pfctl -d


With OS X 10.7, Apple deprecated use of FreeBSD’s ipfw and switched to OpenBSD’s pf.

The control command for pf is pfctl(8).

You will find a brief discussion as of 10.7 here. This is useful for highlighting a couple ways OS X’s PF differs from the stock BSD version.

Documentation on PF is widely available, including Hansteen’s The Book of PF. The author also wrote a freely available tutorial, and the OpenBSD documentation is also freely available.

Note: If your machine is also running OS X Server under 10.8, you might need to fix a config errorthat Apple made before PF starts working.


 was able to get this working using the ifconfig and pfctl commands on Mac 10.10.2. With the following approach I’m successfully mapping to locally on my machine.

In your command line enter the following two commands to forward connections to to

sudo ifconfig lo0 alias
echo "rdr pass on lo0 inet proto tcp from any to port 80 -> port 3000" | sudo pfctl -ef -

Then edit your /etc/hosts or /private/etc/hosts file and add the following line to map your domain to

After you save your hosts file flush your local DNS:

sudo discoveryutil udnsflushcaches

Now open in a browser and you’ll be seeing the server hosted on your localhost port (i.e. Basically this process maps an <ip>:<port> to a new <ip> so that you can then map a host that IP.



#pfctl -e //啟動 PF
#pfctl -d //停用 PF
#pfctl -f /etc/pf.conf //重新載入 pf.conf 設定檔

為了防止 pf 規則寫錯:
pfctl -f 的時候不忘加上 ;sleep 10; pfctl -d
#pfctl -nf /etc/pf.conf //檢查 PF 語法是否正確 (未載入)
#pfctl -Nf /etc/pf.conf //僅載入 NAT 的設定檔
#pfctl -Rf /etc/pf.conf //僅載入防火牆的過濾設定檔
#pfctl -Of /etc/pf.conf //僅載入選項規則(optiion)的設定檔
#pfctl -sn //顯示現階段 NAT 的規則 = pfctl -s nat
#pfctl -sr //顯示現階段過濾的規則 = pfctl -s rules
#pfctl -ss //顯示現階段封包運作狀態 = pfctl -s state
#pfctl -si //顯示現階段過濾封包的統計資料 = pfctl -s info
#pfctl -sa //顯示現階段所有統計的資料 = pfctl -s all
#pfctl -sm = pfctl -s memory
#pfctl -sq //檢視目前佇列 = pfctl -s queue
#pfctl -vsr //顯示現階段過濾封包的統計資料 = pfctl -vs rules
#pfctl -t ssh-bruteforce -Tshow //顯示 table 內資料
#pfctl -F nat //清空 NAT 規則
#pfctl -F queue //清空佇列
#pfctl -F rules //清空封包過濾規則
#pfctl -F all //清空所有的規則清空計數器
#pfctl -F info
#pfctl -F Tables

PF Tables 的使用:

顯示 table 內資料
#pfctl -t ssh-bruteforce -Tshow
#pfctl -t table_name -T add
#pfctl -t table_name -T delete
#pfctl -t table_name -T flush
#pfctl -t table_name -T show
#pfctl -t table_name -T zero

#block in quick proto tcp all flags SF/SFRA
#block in quick proto tcp all flags SFUP/SFRAU
#block in quick proto tcp all flags FPU/SFRAUP
#block in quick proto tcp all flags /SFRA
#block in quick proto tcp all flags F/SFRA
#block in quick proto tcp all flags U/SFRAU
#block in quick proto tcp all flags P


在Linux 上的解法:

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080


發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *