> You obviously have not searched enough. For instance: > > http://marc.theaimsgroup.com/?l=openbsd-misc&m=108089194621750&w=2 > > explains how you can redirect connections transparently to ftp-proxy > and why you need an IP on the bridge if you use userland proxies.
which says... ] # But the bridge will send the modified packet onto the wire unless ] # it is routed explicitly to lo0 ] pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 8021 ] ^^^^^^^^^^^^ That 'route-to lo0' is exactly what I've been looking for, and I appreciate the answer even though I happen to think that three days of searching and spending all my free hours reading through a stack of printouts an inch thick does count as having made a serious effort at researching the problem! :-) I'll write something up about this solution specifically in the context of spamd once I've implemented the tweak above, and confirmed that it works in my circumstances, so that anyone else trying to implement spamd on a transparent bridge/firewall doesn't spend as much time as I have beating my head against the wall. I have to say that I find it amazing that no-one has ever documented running spamd on a transparent bridge before! Before I started on this adventure I had assumed it was the standard configuration... but do a google search for '"route-to lo0" spamd' and you won't find a single pf.conf that uses that trick successfully. Thanks again, Graham.
