Yes, You have the reason, I put DMZ because of this :)
2011/5/9 Stuart Henderson <s...@spacehopper.org> > On 2011/05/09 16:31, R0me0 *** wrote: > > You can too try this: > > > > pass in on $int proto tcp from $int:network to port www route-to ( $dmz > > $ip_of_squid ) > > pass out on $dmz proto tcp to $ip_of_squid to port www > > This won't work for machines on the same subnet as the proxy. > In that case the return traffic (proxy->client) will bypass the > firewall so PF only sees half of the packets so state tracking > will break things. (It might initially appear to work but > try a larger download and watch for the connection breaking).
