On Thursday, December 21, 2006, at 15:32:24, Peter N. M. Hansteen wrote: > Dominik Zalewski <[EMAIL PROTECTED]> writes:
>> My question is can redirect traffic on $int_if to another machine connected >> to the same interface? Does this rule is corrrect ? > You can redirect, but you need to let the packets from the proxy pass > without redirection to the rest of the world. >> rdr pass on $int_if proto tcp from any to any port 80 -> $squid port 8080 > I would supplement this with a 'no rdr' rule for the proxy generated traffic. one thing you should notice is that if packets are generated from the same network your proxy stands in, then proxy will try to send reply packets (and packets with www pages of course) directly to machines in your LAN. And it means problems ;) What I should do is create another network (i.e. if your lan is 10.0.0.0/24 you can use 10.1.0.0/24) and attach 10.1.0.1 to OpenBSD NAT box and 10.1.0.2 to proxy. Then add NAT rules at OpenBSD NAT box and the following lines: no rdr on $int_if from 10.1.0.2 rdr on $int_if from your.lan/net to any port 80 -> 10.1.0.2 port 8080 I made such config about a year ago and it worked. Maybe there are newer features in PF that will work now, but my scenario was good year ago and I haven't changed it (old IT rule: if sth works well don't touch that :-)) regards, -- Sylwester S. Biernacki <[EMAIL PROTECTED]> X-NET, http://www.xnet.com.pl/
