It seems it is starting to work. Server command: /usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191
Commands for programs I would like to intercept/redirect: #!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 172.10.0.2 9191 random port #!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 172.10.0.2 9192 random IP and port (this is Google, don't hack) #!/bin/sh /usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \ -u user /usr/bin/nc -4 -n -v 212.191.227.88 80 #cat pf.conf: pass in quick on pair2 inet proto tcp from pair1 \ rdr-to pair2 port 9191 keep state (floating) pass in pass out #pfctl -sr pass in quick on pair2 inet proto tcp from 172.10.0.1 \ to any flags S/SA tag rdr_tor_tcp rdr-to 172.10.0.2 port 9191 pass in all flags S/SA pass out all flags S/SA Should I also do nat-to (source nat like in nftables) or maybe it is not necessary? Is there any possibility of packet leaks? I mean that this \ pf rules/ruleset will not match some packet and packet \ could go to Internet instead of local socket? I would like to prevent that. I am better with not sending packet anywhere than send to Internet.