On Thu, Dec 21, 2006 at 02:39:50PM +0000, Stuart Henderson wrote: > On 2006/12/21 15:29, Dominik Zalewski wrote: > > In this article squid is running on the same machine as OpenBSD firewall. > > In > > my case I have squid running on different machine connected to LAN > > interface. > > My question is can redirect traffic on $int_if to another machine connected > > to the same interface? Does this rule is corrrect ? > > No, you can't redirect back out the interface the packet came from. > Maybe vlans could help, if there are no spare physical interfaces. > Or you could run a small transparent proxy (e.g. tinyproxy) on the > firewall and have that use $squid as a parent.
unless you nat the connection back, but it is an ugly solution see the pf guide. > > rdr pass on $int_if proto tcp from any to any port 80 -> $squid port 8080 > > Even if you arrange $squid to be on an interface other than $int_if, > I don't think this will work: iirc Squid needs to query /dev/pf for the > untranslated addresses; in that case you need route-to on the firewall > and fwd -> 127.0.0.1 on the proxy. squid needs to query /dev/pf only for HTTP/1.0 connections with no Host: header. Otherwise, it will happily use the Host: header to connect to the remote server.
