OpenBSD + Squid + pf Transparent www Proxy Firewall

There is a perfectly serviceable squid package in the OpenBSD ports collection. I have found that I sometimes require a newer version of squid, or that I'm running an older version of OpenBSD, and the newer squid ports are not available. Also, the port doesn't offer a straightforward method to compile squid with more than 1024 file descriptors, which you will need on a moderately busy proxy.

This is the process for setting up squid from the source tarball.

o Compile kernel with
  option MAXFILES=8192

o Edit /etc/sysctl.conf
  kern.maxfiles=8192

o Download squid, extract the file and run configure as root.  Set ulimit -n 8192 before running
 configure or it will use the default 1024.
  # ulimit -n 8192
  # ./configure --sysconfdir="/etc"
       --prefix="/usr/local/squid"
       --datadir="/usr/local/share/squid"
       --enable-removal-policies="lru heap"
       --enable-ssl
       --enable-pf-transparent

o Add a rule to /etc/pf.conf to redirect all port 80 traffic to squid
  rdr on $int_if inet proto tcp from any to any \ 
    port www -> 127.0.0.1 port 2005

o Create the new user & group (use vipw to add the user, any editor to modify /etc/group)
  vipw:
   _squid:*:515:515:daemon:0:0:Squid Account:/nonexistent:/sbin/nologin
  /etc/group:
   _squid:*:515

o Allow the _squid group access to /dev/pf
  chgrp _squid /dev/pf
  chmod g+rw /dev/pf

o In squid 2.6 and above, a single line enables the transparent proxy
  http_port 2005 transparent

o /var/squid partitions, in /etc/fstab
   mount options:
   noatime, nodev, nosuid, softdep

o rc.local
  ulimit -n 8192
  /usr/local/squid/sbin/squid

o rc.shutdown
  /usr/local/squid/sbin/squid -k shutdown