Dear list, I just noticed something strange with pf (4.7) and I wondered if someone could help me to understand it.
Let's consider the following simple rule-set: <pf.conf> set skip on lo0 pass all block out log on bge0 inet proto tcp from any to x.x.x.x port 80 match out on bge0 inet proto tcp from any to x.x.x.x port 80 <\pf.conf> Then if I just try a simple hping on x.x.x.x on port 80, I expect to see the packet blocked, and logged on pflog0, but I don't see it. If I just add a "log" to the "match" rule, then my hping packet will be logged twice on pflog0 (for the block and the match). I observe analog behavior if I replace the block rule by a similar pass rule. So it seems impossible to log specific traffic if this traffic is matched somewhere by a simple "match" rule, one would need to add the "log" directive to the latter, which might of course not be desirable. Is this the expected behavior, or is there something I am overlooking? Any help would be greatly appreciated. Regards, William
