[Internet] | | re1| +----=----+re2 (10.0.8.0/30) | FW |=-----------+ +----=----+ |fxp0 re0| +---=---+ | | proxy | | +---=---+ | |xl0 |||----------------+ /|\ (10.0.7.0/24) [LAN]
Is it possible to configure the indicated setup above for transparent/intercepting proxy using OpenBSD 5.6 router/firewall and OpenBSD 5.4 proxy with Squid 3.3.8? LAN clients have the FW as the default gateway. I planned on intercepting WWW traffic at the firewall and redirecting to the proxy out re2 (over the 10.0.8/0/30 net). The proxy has an intercept listener on fxp0: http_port 10.0.8.2:3129 intercept I see from Squid documentation [1] that this should be done with divert-to and divert-reply in PF. Is this configuration only possible if Squid runs on the same host as the PF firewall because of a divert socket having to point locally? With the following rule active in PF, no traffic is seen on re2 at FW. @51 pass in log quick inet proto tcp from 10.0.7.32 to any port = 80 flags S/SA divert-to 10.0.8.2 port 3129 The following log is seen when attempting connection from client 10.0.1.32 to WWW: Jul 14 16:35:18.081709 rule 51/(match) pass in on vlan103: 10.0.7.32.63958 > 209.68.27.16.80: S 1842850855:1842850855(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 796985221 0,[|tcp]> (DF) Is there any way to successfully configure this or similar sort of design with interception in Squid so that the proxy can reside on a different host than the firewall? [1] http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf -- Darren Spruell phatbuck...@gmail.com