I have about a dozen OpenBSD firewalls "out there" and most of them are pretty minimal having a NATted LAN and the only traffic allowed in (other than replies to outbound) is ssh.
The pf.confs are pretty much modifications of a template one with just the LAN IPs changing. The changes in /etc/* are also the same for all of them. Just one is not getting anything in pflog. pflogd is running. ps auxwww says: _pflogd 14121 0.0 0.1 640 244 ?? S 15Feb06 0:21.15 pflogd: [running] -s 116 -f /var/log/pflog (pflogd) There are rules like: block return-icmp in log quick from <ssh-scan> in there and currently pfctl -t ssh-scan -Ts gives: 61.134.32.18 61.175.248.131 69.60.110.241 125.246.21.3 199.227.176.178 201.20.202.202 203.200.36.253 211.155.23.65 211.162.78.106 212.74.113.212 218.108.1.180 218.206.96.174 220.117.241.46 220.117.241.87 220.119.33.251 220.132.113.163 221.224.14.157 So you would expect to see <something> in the pflog as those guys would have tried at least once after being tabled. I've been working with too little sleep so I am missing some little detail but it is a bit embarassing when I try to show a user all the nasties our log shows as being blocked and the output is null. Somebody wake me up please. I have looked too long at the forest from too close up. >From the land "down under": Australia. Do we look <umop apisdn> from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.