Extend README:

If the proxy server is running on the same subnet as the clients, the return traffic from the proxy will go directly back to them without ever hitting the firewall, which means the states will never get updated and may fill-up your pflog(4) with blocked attempts. To circumvent this the "no state" option needs to be specified for the route-to rule. ok Brad, intput/ok sthen@ (maintainer)
2012-06-20 07:10:39 +00:00 · 2012-06-20 07:10:39 +00:00 · 4e6d900ce6
commit 4e6d900ce6
parent 41e4a016f2
2 changed files with 11 additions and 3 deletions
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.127 2012/04/28 11:06:12 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.128 2012/06/20 07:10:39 ajacoutot Exp $

 COMMENT=	WWW and FTP proxy cache and accelerator

 DISTNAME=	squid-2.7.STABLE9
-REVISION=	16
+REVISION=	17
 CATEGORIES=	www
 MASTER_SITES=	${HOMEPAGE}/Versions/v2/2.7/
 DIST_SUBDIR=	squid
--- a/www/squid/pkg/README
+++ b/www/squid/pkg/README
@ -1,4 +1,4 @@
-$OpenBSD: README,v 1.5 2012/04/28 11:06:12 ajacoutot Exp $
+$OpenBSD: README,v 1.6 2012/06/20 07:10:39 ajacoutot Exp $

 +-----------------------------------------------------------------------
 | Running ${FULLPKGNAME} on OpenBSD
@ -39,3 +39,11 @@ pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5)

 (this example assumes Squid is running on 10.77.3.5 reachable over
 the vr2 interface).
+
+If the proxy server is running on the same subnet as the clients, the
+return traffic from the proxy will go directly back to them without
+ever hitting the firewall, which means the states will never get updated
+and may fill-up your pflog(4) with blocked attempts. To circumvent this
+the "no state" option needs to be specified for the route-to rule.
+e.g.
+pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5) no state