Intercepting traffic with PF on FreeBSD

Based on OpenBSD example by Chris Benech

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


This configuration applies to FreeBSD 8/9, MP kernel and Squid 2.6 or later.

Squid Configuration

First, compile and install Squid. It requires the following options:

./configure --with-pthreads --enable-pf-transparent

You will need to configure squid to know the IP is being intercepted like so:

http_port 3129 transparent
  • /!\ In Squid 3.1+ the transparent option has been split. Use 'intercept to catch PF packets.

http_port 3129 intercept

pf.conf Configuration

In pf.conf, the following changes need to be made.

In the top portion where you set skip on your internal interfaces, remove those lines. They tell the pf filter not to do any processing on packets coming in on an internal interface.

#set skip on $int_if << These lines commented out 
#set skip on $wi_if

# redirect only IPv4 web traffic to squid 
rdr pass inet proto tcp from to any port 80 -> port 3129

block in
pass in quick on $int_if
pass in quick on $wi_if
pass out keep state

Some pointers:

  • Use rdr pass instead of rdr on ... part of the way that pf evaluates packets, it would drop through and be allowed as is instead of redirected if you don't use rdr pass.

  • If it seems to be ignoring your changes and no redirection is happening, make sure you removed the set skip on lines.

  • Make sure and add the pass in quick lines. Myself I have two internal interfaces, one for wired and one for wireless internet. Although there is a bridge configured, strange things happen sometimes when you don't explicitly allow all traffic on both interfaces. If you don't add these lines, you will lose local network connectivity and have to go to the console to figure it out.


To test if it worked, use the nc utility. Stop squid and from the command line as root type in:

nc -l 3129

Then restart squid and try to navigate to a page.

You should now see an output like this:

<root:openbsd> [/root]
> nc -l 3129
GET /mail/?ui=pb HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; GNotify
Connection: Keep-Alive
Cache-Control: no-cache

From there on out, just set your browsers up normally with no proxy server, and you should see the cache fill up and your browsing speed up.


ConfigExamples/Intercept/FreeBsdPf (last edited 2011-04-06 03:28:06 by AmosJeffries)