Hi!

I try to describe my understanding out the situation more closely and
hope you can guide me further

1. since packets are generated locally packet filter match them only on
outgoing direction
2. locally generated packets are routed according to the default routing
table
3. using route-to ($if_ext $if_ext_gw) construct on the pass out rule i
can't change the interface the packet it getting out, its already
decided, i can only choose the next hop gateway address with-in the
network the  $if_ext is in
4. using routing table with different default gateway with locally
generated packets seem not to be a solution, i guess its also too late
because the match is actually happening on the outgoing direction and
routing has already happened

match log user _squid tag FROM_SQUID rtable 1


Imre


roberth wrote:
quoted text
> On Sat, 18 Sep 2010 20:12:32 +0300
> Imre Oolberg <imre@auul.pri.ee> wrote:
>
>   
>> Hallo!
>>
>> I have OpenBSD v. 4.7 i386 firewall with two outgoing internet
>> connections (of which one is default gateway and the other could be
>> used with route-to, for example) and serveral networks behind it. On
>> the firewall runs Squid process as user _squid and it does
>> transparent http proxy for inner networks. I tried to read man route
>> and man pf.conf but cant figure out on my own whether it is possible
>> or how to set up my firewall so that Squid's requests go out thru
>> that internet connection which isn't default gateway.
>>
>> I know it is possible to use different routing tables and pf lets act
>> on locally generated packets based on the respective process UID but
>> i just cant add them up to accomplish what i described. Help would be
>> appreciated! :)
>>
>>
>> Best regards, Imre
>>
>>     
>
> search the pf.conf manpage for the "user" parameter.