стоит на работе фря (шестёрка) в качестве шлюза. Squid настроен. Необходимо, чтобы пакеты перебрасывались с 80-го и (желательно) 21-го порта на 3128. Попробовал настроить это всё с помощью pf:

[color=darkred]ext_if="rl0"
int_if="sis0"

internal_net="192.168.1.0/24"
external_addr="83.221.211.202"
lo0="127.0.0.1"

tcp_services = "{ 5999, 110, 53, 443, 25, 8080, 5190, 1521, 6001 }" #
# "{ ftp-data, cvsup, smtp, domain, http, https, pop3, aol }"
#udp_services = "{ 53, 123 }"
udp_services = "{ domain, ntp }"
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"
zenit_main = "{ ... }"

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat on $ext_if from $internal_net to any -> ($ext_if)

#rdr pass on $ext_if proto tcp from any to $ext_if port $oracle_port -> $oracle_server port $oracle_port
#rdr pass on $ext_if proto tcp from any to $ext_if port 2022 -> $oracle_server port ssh

# squid forwarding
rdr pass on $int_if proto tcp from $internal_net to any port { 21, 80, 8080 } -> lo0 port 3128

pass in quick on $int_if inet proto tcp from any to lo0 port 3128 keep state
pass out quick on $ext_if inet proto tcp from any to any port 80 keep state

#DNS
pass out proto tcp to any port domain keep state
pass proto udp to any port domain keep state

#set optimization normal
#set block-policy drop
#set loginterface $ext_if
pass quick on lo0 all
block quick log from any os NMAP
block log all

block in quick on $ext_if from $internal_net to any
block out quick on $ext_if from any to $internal_net
antispoof for $ext_if

# terminal access support
#pass in proto tcp from $terminal_source to any port $terminal_port #flags S/SA keep state
#pass out proto tcp from $internal_net to $terminal_source port $terminal_port #flags S/SA keep state

# ftp support
#pass in proto { tcp, udp } from any to any port { 20, 21 } keep state
#pass out proto { tcp, udp } from any to any port { 20, 21 } keep state

# ssh support
pass in proto tcp from any to any port 22 flags S/SA keep state
pass out proto tcp from any to any port 22 flags S/SA keep state

# allow tcp services
pass in quick proto tcp from any to any port $tcp_services flags S/SA keep state
pass out proto tcp from any to any port $tcp_services flags S/SA keep state

# allow upd services
pass quick inet proto udp to any port $udp_services keep state
pass out proto udp to any port $udp_services keep state

# in/out ping requets support
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state

# allow requests to/from web server
pass in log on $int_if proto tcp from $internal_net to $int_if port 80 flags S/SA
pass out log on $int_if proto tcp from any to $internal_net port 80 flags S/SA
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state flags S/SA
pass out on $ext_if proto tcp from $ext_if to any port 80 keep state flags S/SA

pass in log all
pass out log all[/color]

===================================================

Вот. При '/etc/rc.d/pf start' через прокси пушает, а напрямую -- нет :( Пишет:

[color=darkred]ОШИБКА
Запрошенный URL не может быть доставлен. [/color]
и тд

хотя напрямую из консоли пингуется внешняя сеть:

[color=darkred]$ ping linux.org.ru
PING linux.org.ru (217.76.32.61) 56(84) bytes of data.
64 bytes from linux.org.ru (217.76.32.61): icmp_seq=1 ttl=51 time=38.8 ms
64 bytes from linux.org.ru (217.76.32.61): icmp_seq=2 ttl=51 time=36.6 ms[/color]
[color=darkred]# pfctl -sa
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
rdr pass on sis0 inet proto tcp from 192.168.1.0/24 to any port = ftp -> 127.0.0.1 port 3128
rdr pass on sis0 inet proto tcp from 192.168.1.0/24 to any port = http -> 127.0.0.1 port 3128
rdr pass on sis0 inet proto tcp from 192.168.1.0/24 to any port = 8080 -> 127.0.0.1 port 3128

(...)

self tcp 127.0.0.1:3128 <- 85.249.23.38:80 <- 192.168.1.113:1442 TIME_WAIT:TIME_WAIT
self tcp 127.0.0.1:3128 <- 85.249.23.38:80 <- 192.168.1.113:1443 TIME_WAIT:TIME_WAIT
self tcp 192.168.1.1:110 <- 192.168.1.118:1338 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:56628 -> 194.67.45.123:80 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:56642 -> 194.67.45.123:80 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:63851 -> 194.67.45.123:80 SYN_SENT:CLOSED
self tcp 83.221.211.202:51320 -> 194.67.45.123:80 FIN_WAIT_2:FIN_WAIT_2
self tcp 83.221.211.202:52960 -> 64.233.183.103:80 ESTABLISHED:ESTABLISHED
self tcp 83.221.211.202:56610 -> 66.249.93.104:80 ESTABLISHED:ESTABLISHED
self tcp 205.188.1.120:5190 <- 192.168.1.110:1402 ESTABLISHED:ESTABLISHED[/color]

Куда копать?

<span class='smallblacktext'>[ Редактирование ]</span>