Intercepting traffic with IPFW

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


This configuration is for a machine using IPFirewall (IPFW) to NAT intercept traffic into a Squid proxy.

NOTE: NAT configuration will only work when used on the squid box. This is required to perform intercept accurately and securely. To intercept from a gateway machine and direct traffic at a separate squid box use policy routing.

Squid Configuration

First, compile and install Squid. It requires the following options:

./configure --enable-ipfw-transparent

You will need to configure squid to know the IP is being intercepted like so:

http_port 3129 transparent
  • /!\ In Squid 3.1+ the transparent option has been split. Use 'intercept to catch IPFW packets.

http_port 3129 intercept

rc.firewall.local Configuration

# Interface where client requests are coming from

# The IP Squid is listening on for requests. localhost is safest.

# Path to ipfw command

${IPFW} -f flush
${IPFW} add 60000 permit ip from any to any
${IPFW} add 100 fwd ${SQUIDIP},3129 tcp from any to any 80 recv ${IFACE}


To test if it worked, use the nc utility. Stop squid and from the command line as root type in:

nc -l 3129

Then restart squid and try to navigate to a page.

You should now see an output like this:

<root:freebsd> [/root]
> nc -l 3129
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; GNotify
Connection: keep-alive

From there on out, just set your browsers up normally with no proxy server, and you should see the cache fill up and your browsing speed up.


On MacOS X 10.6 traffic does not show up in Squid

by Jeffrey j Donovan

You need to edit:

sysctl -w net.inet.ip.scopedroute=0

Previous MacOS X set this to 0 by default. On MacOS X 10.6 it now defaults to 1. Disable this and Squid gets the traffic.


ConfigExamples/Intercept/Ipfw (last edited 2018-02-11 07:41:43 by AmosJeffries)