Greetings... I am going to test an OpenBSD server with Squid tcp_outgoing_address and NAT. However I have to wait since the test server is allready running other tests. While I was planning to do this I asked my self if it was possible to assign each client that connects to Squid a port range for the outgoing request. With tcp_outgoing_address set to private IPs I had first to create these private IPs as aliasses for Squid to bind the outgoing requests on then static NAT to the client IPs. Without the aliases squid just returns a socket error message. (this happend on my current test server using FreeBSD and IPFILTER/IPNAT). Just a crazy thought but if Squid would allow me to assign for each client IP a source port range for Squid uses to query the destination, then I would just need to policy NAT Squid's port range for each client. Oh man my english ain't that good so I'll just explain using "computer english" client 10.0.0.1 connects to squid (never mind the private IP it's just an example). squid.conf has header_access Via deny all header_access X-Forwarded-For deny all Squid ACL assigns for this client an outgoing "source" port range (eg. 2100-2199). Using this port range we NAT Squid's IP to the client IP <ipfilter/ipnat> bimap $ext_if from $squid_ip port 2100><2199 to 0.0.0.0/0 port = 80 -> $client_ip Oh well... Just wanted to share this crazy idea with you guys so read it and think, laugh or reply. PS: I have always used FreeBSD with IPFW so please excuse my lack of knowledge regarding IPFILTER/IPNAT and OpenBSD PF. Just trying to learn things the hard way. -- Kind regards Abu Khaled
