From owner-freebsd-pf@FreeBSD.ORG  Thu May  4 07:23:00 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6AE3916A402
	for <freebsd-pf@freebsd.org>; Thu,  4 May 2006 07:23:00 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0DD6D43D49
	for <freebsd-pf@freebsd.org>; Thu,  4 May 2006 07:22:59 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from gw2.local.net (unknown [62.3.210.254])
	by smtp.nildram.co.uk (Postfix) with ESMTP id B8ED13388F9
	for <freebsd-pf@freebsd.org>; Thu,  4 May 2006 08:22:56 +0100 (BST)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
To: "'Aguiar Magalhaes'" <magalhj@yahoo.com.br>,
	<freebsd-pf@freebsd.org>
Date: Thu, 4 May 2006 08:22:58 +0100
Keywords: freebsd-pf
Message-ID: <000b01c66f4b$91dcb9f0$0a00a8c0@thebeast>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Thread-Index: AcZvL1jDY4BGYY//SxqKuqrjLZy3XQAGuNjg
X-OriginalArrivalTime: 04 May 2006 07:22:58.0703 (UTC)
	FILETIME=[91DCB9F0:01C66F4B]
Cc: 
Subject: RE: Something is wrong
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2006 07:23:00 -0000

 
> 
> Some applications in intranet pages use ports like
> 19336 or 8081 and they don't support the proxy.
> 
> I need to tell to pf 

This is not a pf issue, apart from get rid of 

set optimization aggressive

The defaults are more than adequate. 

add

set block-policy return

So applications can tell you if the packet filter is getting in their way. 

& assuming you're running 6 or later 

Get rid of 

pass quick on lo0 

And replace it with 

Set skip on lo0 



You need to configure either a local exclusion list through group policy
and/or create a proxy.pac file for each client and use it. 

If the proxy server has a routed connection to the intranet, it shouldn't
matter what the destination port for the http server is. 

Given you run a default policy of block, you do not appear to have a 

pass out 

Rule on the inside interface permitting squid to connect to the intranet
servers. 



Greg