On 2011/05/09 16:31, R0me0 *** wrote: > You can too try this: > > pass in on $int proto tcp from $int:network to port www route-to ( $dmz > $ip_of_squid ) > pass out on $dmz proto tcp to $ip_of_squid to port www
This won't work for machines on the same subnet as the proxy. In that case the return traffic (proxy->client) will bypass the firewall so PF only sees half of the packets so state tracking will break things. (It might initially appear to work but try a larger download and watch for the connection breaking).
