pf rdr (redirect) syntax solved

Wed Nov 30 18:15:25 UTC 2011

On Wed, Nov 30, 2011 at 11:49 AM, Mark Moellering <mark at msen.com> wrote:
> My apologies for posting an answer without a question but this is something
> I want searchable in the future.
> To use redirection ( rdr ) in pf, you MUST specify an ip address or
> interface.
> For example, if you want to force external traffic coming in on port 80 to
> port 443 and write this;
>
> rdr on $interface inet proto tcp from ! $internal_addresses to $interface
> port 80 -> port 443
>
> it FAILS!  The PROPER syntax is;
>
> rdr on $interface inet proto tcp from ! $internal_addresses to $interface
> port 80 -> $interface port 443
>
> I hope this helps someone...

If you want to redirect all http connections to https, why not simply
have the server listen on port 80 to begin with?

An rdr rule is typically used to change the destination address, so it
is the port field that's optional. See 'rdr-rule' under the grammar
section of pf.conf(5).

By the way, you can use service names like 'http' and 'https' in place
of port numbers to make the configuration a bit more usable. See
/etc/services for a list of known ports.

- Max