Intercepting traffic with PF on FreeBSDBased on OpenBSD example by Chris BenechWarning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.Contents Intercepting traffic with PF on FreeBSD Outline Squid Configuration pf.conf Configuration TestingOutlineThis configuration applies to FreeBSD 8/9, MP kernel and Squid 2.6 or later.Squid ConfigurationFirst, compile and install Squid. It requires the following options:./configure --with-pthreads --enable-pf-transparentYou will need to configure squid to know the IP is being intercepted like so:http_port 3129 transparent/!\ In Squid 3.1+ the transparent option has been split. Use 'intercept to catch PF packets. http_port 3129 interceptpf.conf ConfigurationIn pf.conf, the following changes need to be made.In the top portion where you set skip on your internal interfaces, remove those lines. They tell the pf filter not to do any processing on packets coming in on an internal interface.#set skip on $int_if 192.168.231.1 port 3129block inpass in quick on $int_ifpass in quick on $wi_ifpass out keep stateSome pointers: Use rdr pass instead of rdr on ... part of the way that pf evaluates packets, it would drop through and be allowed as is instead of redirected if you don't use rdr pass. If it seems to be ignoring your changes and no redirection is happening, make sure you removed the set skip on lines. Make sure and add the pass in quick lines. Myself I have two internal interfaces, one for wired and one for wireless internet. Although there is a bridge configured, strange things happen sometimes when you don't explicitly allow all traffic on both interfaces. If you don't add these lines, you will lose local network connectivity and have to go to the console to figure it out. TestingTo test if it worked, use the nc utility. Stop squid and from the command line as root type in:nc -l 3129Then restart squid and try to navigate to a page.You should now see an output like this: [/root]> nc -l 3129GET /mail/?ui=pb HTTP/1.1User-Agent: Mozilla/5.0 (compatible; GNotify 1.0.25.0)Host: mail.google.comConnection: Keep-AliveCache-Control: no-cache...From there on out, just set your browsers up normally with no proxy server, and you should see the cache fill up and your browsing speed up.