2013-03-17 19:36:56 +00:00
|
|
|
|
|
|
|
|
|
|
|
OSX Lion integrated the [pf](http://www.openbsd.org/faq/pf/) packet filter from
|
|
|
|
the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX.
|
|
|
|
Note that this means we don't support transparent mode for earlier versions of
|
|
|
|
OSX.
|
|
|
|
|
|
|
|
<ol class="tlist">
|
|
|
|
|
|
|
|
<li> <a href="@!urlTo("ssl.html")!@">Install the mitmproxy
|
|
|
|
certificates on the test device</a>. </li>
|
|
|
|
|
|
|
|
<li> Enable IP forwarding:
|
|
|
|
|
|
|
|
<pre class="terminal">sudo sysctl -w net.inet.ip.forwarding=1</pre>
|
|
|
|
</li>
|
|
|
|
|
|
|
|
<li> Place the following two lines in a file called, say, <b>pf.conf</b>:
|
|
|
|
|
|
|
|
<pre class="terminal">rdr on en2 inet proto tcp to any port 80 -> 127.0.0.1 port 8080
|
|
|
|
rdr on en2 inet proto tcp to any port 443 -> 127.0.0.1 port 8080
|
|
|
|
</pre>
|
2013-04-04 22:55:28 +00:00
|
|
|
|
2013-03-17 19:36:56 +00:00
|
|
|
These rules tell pf to redirect all traffic destined for port 80 or 443
|
|
|
|
to the local mitmproxy instance running on port 8080. You should
|
|
|
|
replace <b>en2</b> with the interface on which your test device will
|
|
|
|
appear.
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
2013-04-04 22:55:28 +00:00
|
|
|
<li> Configure pf with the rules:
|
2013-03-17 19:36:56 +00:00
|
|
|
|
|
|
|
<pre class="terminal">sudo pfctl -f pf.conf</pre>
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
|
<li> And now enable it:
|
|
|
|
|
|
|
|
<pre class="terminal">sudo pfctl -e</pre>
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
|
|
|
<li> Configure sudoers to allow mitmproxy to access pfctl. Edit the file
|
|
|
|
<b>/etc/sudoers</b> on your system as root. Add the following line to the end
|
|
|
|
of the file:
|
|
|
|
|
|
|
|
<pre>ALL ALL=NOPASSWD: /sbin/pfctl -s state</pre>
|
|
|
|
|
|
|
|
Note that this allows any user on the system to run the command
|
|
|
|
"/sbin/pfctl -s state" as root without a password. This only allows
|
|
|
|
inspection of the state table, so should not be an undue security risk. If
|
|
|
|
you're special feel free to tighten the restriction up to the user running
|
|
|
|
mitmproxy.</li>
|
|
|
|
|
2013-04-04 22:55:28 +00:00
|
|
|
<li> Fire up mitmproxy. You probably want a command like this:
|
2013-03-17 19:36:56 +00:00
|
|
|
|
|
|
|
<pre class="terminal">mitmproxy -T --host</pre>
|
|
|
|
|
|
|
|
The <b>-T</b> flag turns on transparent mode, and the <b>--host</b>
|
|
|
|
argument tells mitmproxy to use the value of the Host header for URL
|
|
|
|
display.
|
|
|
|
|
|
|
|
</li>
|
|
|
|
|
2013-04-04 22:55:28 +00:00
|
|
|
<li> Finally, configure your test device to use the host on which mitmproxy is
|
|
|
|
running as the default gateway.</li>
|
|
|
|
|
|
|
|
|
2013-03-17 19:36:56 +00:00
|
|
|
</ol>
|
2013-12-08 08:38:53 +00:00
|
|
|
|
|
|
|
Note that the **rdr** rules in the pf.conf given above only apply to inbound
|
|
|
|
traffic. This means that they will NOT redirect traffic coming from the box
|
|
|
|
running pf itself. We can't distinguish between an outbound connection from a
|
|
|
|
non-mitmproxy app, and an outbound connection from mitmproxy itself - if you
|
|
|
|
want to intercept your OSX traffic, you should use an external host to run
|
|
|
|
mitmproxy. None the less, pf is flexible to cater for a range of creative
|
|
|
|
possibilities, like intercepting traffic emanating from VMs. See the
|
|
|
|
**pf.conf** man page for more.
|
|
|
|
|
|
|
|
|
|
|
|
|