diff --git a/www/squid/Makefile b/www/squid/Makefile
index 616762e1404..beeed92bb53 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.127 2012/04/28 11:06:12 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.128 2012/06/20 07:10:39 ajacoutot Exp $
 
 COMMENT=	WWW and FTP proxy cache and accelerator
 
 DISTNAME=	squid-2.7.STABLE9
-REVISION=	16
+REVISION=	17
 CATEGORIES=	www
 MASTER_SITES=	${HOMEPAGE}/Versions/v2/2.7/
 DIST_SUBDIR=	squid
diff --git a/www/squid/pkg/README b/www/squid/pkg/README
index 45815abd0b6..b62949a7081 100644
--- a/www/squid/pkg/README
+++ b/www/squid/pkg/README
@@ -1,4 +1,4 @@
-$OpenBSD: README,v 1.5 2012/04/28 11:06:12 ajacoutot Exp $
+$OpenBSD: README,v 1.6 2012/06/20 07:10:39 ajacoutot Exp $
 
 +-----------------------------------------------------------------------
 | Running ${FULLPKGNAME} on OpenBSD
@@ -39,3 +39,11 @@ pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5)
 
 (this example assumes Squid is running on 10.77.3.5 reachable over
 the vr2 interface).
+
+If the proxy server is running on the same subnet as the clients, the
+return traffic from the proxy will go directly back to them without
+ever hitting the firewall, which means the states will never get updated
+and may fill-up your pflog(4) with blocked attempts. To circumvent this
+the "no state" option needs to be specified for the route-to rule.
+e.g.
+pass in quick inet proto tcp to port 80 route-to (vr2 10.77.3.5) no state