OSX Lion integrated the pf packet filter from the OpenBSD project, which mitmproxy uses to implement transparent mode on OSX. Note that this means we don’t support transparent mode for earlier versions of OSX.

  1. Install the mitmproxy certificate on the test device

  2. Enable IP forwarding:

    >>> sudo sysctl -w net.inet.ip.forwarding=1
  3. Place the following two lines in a file called, say, pf.conf:

    rdr on en2 inet proto tcp to any port 80 -> port 8080
    rdr on en2 inet proto tcp to any port 443 -> port 8080

    These rules tell pf to redirect all traffic destined for port 80 or 443 to the local mitmproxy instance running on port 8080. You should replace en2 with the interface on which your test device will appear.

  4. Configure pf with the rules:

    >>> sudo pfctl -f pf.conf
  5. And now enable it:

    >>> sudo pfctl -e
  6. Configure sudoers to allow mitmproxy to access pfctl. Edit the file /etc/sudoers on your system as root. Add the following line to the end of the file:

    ALL ALL=NOPASSWD: /sbin/pfctl -s state

    Note that this allows any user on the system to run the command /sbin/pfctl -s state as root without a password. This only allows inspection of the state table, so should not be an undue security risk. If you’re special feel free to tighten the restriction up to the user running mitmproxy.

  7. Fire up mitmproxy. You probably want a command like this:

    >>> mitmproxy -T --host

    The -T flag turns on transparent mode, and the --host argument tells mitmproxy to use the value of the Host header for URL display.

  8. Finally, configure your test device to use the host on which mitmproxy is running as the default gateway.


Note that the rdr rules in the pf.conf given above only apply to inbound traffic. This means that they will NOT redirect traffic coming from the box running pf itself. We can’t distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection from mitmproxy itself - if you want to intercept your OSX traffic, you should use an external host to run mitmproxy. None the less, pf is flexible to cater for a range of creative possibilities, like intercepting traffic emanating from VMs. See the pf.conf man page for more.