Hi,
I am currently conducting some security testing within my network and have encountered a challenge…
Here is a brief overview of my setup and the problem:
Attacker Machine: MacOS with IP address 192.168.0.82
Target Machine: IP address 192.168.0.254
On the attacker machine, I have configured port forwarding and created a redirect rule intended for use
with the tool sslsplit. The configurations are as follows:
sysctl net.inet.ip.forwarding=1
pf.conf:
rdr pass on en0 inet proto tcp from any to any port 443 → 127.0.0.1 port 8443
rdr pass on en0 inet proto tcp from any to any port 80 → 127.0.0.1 port 8080
When I disable the pf.conf rules, arp spoofing functions perfectly.
However, upon enabling the pf.conf rules, the target machine loses internet connectivity.
Although the forwarding to ports 8443 and 8080 appears to be operational, when examining the firewall rules,
I encounter messages indicating “DROP_CTINVALID.”
I am concerned that ipfire might be blocking the traffic…
Specifically, I’m trying to figure out why, with the firewall rules enabled on my MacOS (pf.conf),
the traffic does not seem to forward back to the target machine properly.
Could you provide guidance on how to analyze this traffic and determine the underlying issue with the forwarding
and firewall configurations?
Thank you for your assistance.