From owner-freebsd-pf@FreeBSD.ORG  Tue Feb 15 22:53:30 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7BE9916A4CE
	for <freebsd-pf@freebsd.org>; Tue, 15 Feb 2005 22:53:30 +0000 (GMT)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B011143D39
	for <freebsd-pf@freebsd.org>; Tue, 15 Feb 2005 22:53:29 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	j1FMrWap015161
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Tue, 15 Feb 2005 23:53:32 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.2/8.12.10/Submit) id j1FMrVtU025664;
	Tue, 15 Feb 2005 23:53:31 +0100 (MET)
Date: Tue, 15 Feb 2005 23:53:31 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Jason Hunt <jhunt@niicommunications.com>
Message-ID: <20050215225331.GR32350@insomnia.benzedrine.cx>
References: <BE37D577.1C7C3%jhunt@niicommunications.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BE37D577.1C7C3%jhunt@niicommunications.com>
User-Agent: Mutt/1.5.6i
cc: freebsd-pf@freebsd.org
Subject: Re: PF Squid Transparent Proxy
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Feb 2005 22:53:30 -0000

On Tue, Feb 15, 2005 at 04:36:07PM -0600, Jason Hunt wrote:

> Has anyone got squid to work transparently using pf firewall rules?  I came
> across some patch that support --enable-pf-transparent from 2002, but was
> wondering if there was some work around.
> 
> I understand that you can do this on an OpenBSD system (apparently there is
> a port that does support --enable-pf-transparent), but was wondering about
> support for FreeBSD.

That code is only needed when you need squid to query original
destination addresses from pf via ioctl (when squid and pf are running
on the same host), for web servers that don't support HTTP 1.1 and the
HTTP Host: header (which are getting fewer).

The changes needed in squid were merged into the squid base
distribution, they are enabled using the --enable-pf-transparent
configure option.

The FreeBSD 5.3 port enables that option when you run WITH_SQUID_PF=1
make in /usr/ports/www/squid.

Some more details (which apply equally to pf under FreeBSD) can be found
on http://www.benzedrine.cx/transquid.html

Daniel