Problems with pf rules for intercept squid proxy

Kristof Provost kp at
Tue Jun 28 17:37:42 UTC 2016

On 28 Jun 2016, at 15:07, C. L. Martinez wrote:
>  I have some problems with my pf rules on a FreeBSD 10.3 host that 
> acts as a squid intercept proxy. My actual pf rules are:
> rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0 
> port 5144
> rdr pass on $vpnif proto tcp from $int_network to any port https -> 
> lo0 port 5145
>  At first stage it seems that these rules works, but don't. Traffic is 
> redirected to squid, but squid denies all connections:
>  1467111934.502      1 TCP_DENIED/403 4221 GET 
> - HIER_NONE/- text/html
>  Using same squid.conf's file under an OpenBSD test machine, squid 
> works without problems. For this reason, I don't think there is some 
> problem with my squid's config. The only difference between this 
> OpenBSD host and FreeBSD are the pf rules.
You may have a different squid version, or they may be patched 
Your redirect rules are working, as demonstrated by the fact that squid 
gets a request, and replies to it.

Note that pf does not change your HTTP payload, it only affects TCP. In 
other words: if Squid sees the connection (and it does) it’s a Squid 

Also note that you’re redirecting on FreeBSD, but using divert-to on 
This may be triggering different behaviour from Squid. The man page says 
that with divert-to:

	The packets will not be modified, so getsockname(2) on the socket will 
	the original destination address of the packet.

That might be affecting an ACL in Squid.


More information about the freebsd-questions mailing list