Hi! I try to describe my understanding out the situation more closely and hope you can guide me further
1. since packets are generated locally packet filter match them only on outgoing direction 2. locally generated packets are routed according to the default routing table 3. using route-to ($if_ext $if_ext_gw) construct on the pass out rule i can't change the interface the packet it getting out, its already decided, i can only choose the next hop gateway address with-in the network the $if_ext is in 4. using routing table with different default gateway with locally generated packets seem not to be a solution, i guess its also too late because the match is actually happening on the outgoing direction and routing has already happened match log user _squid tag FROM_SQUID rtable 1 Imre roberth wrote: > On Sat, 18 Sep 2010 20:12:32 +0300 > Imre Oolberg <i...@auul.pri.ee> wrote: > > >> Hallo! >> >> I have OpenBSD v. 4.7 i386 firewall with two outgoing internet >> connections (of which one is default gateway and the other could be >> used with route-to, for example) and serveral networks behind it. On >> the firewall runs Squid process as user _squid and it does >> transparent http proxy for inner networks. I tried to read man route >> and man pf.conf but cant figure out on my own whether it is possible >> or how to set up my firewall so that Squid's requests go out thru >> that internet connection which isn't default gateway. >> >> I know it is possible to use different routing tables and pf lets act >> on locally generated packets based on the respective process UID but >> i just cant add them up to accomplish what i described. Help would be >> appreciated! :) >> >> >> Best regards, Imre >> >> > > search the pf.conf manpage for the "user" parameter.
