For the life of me I couldn't figure out why my logs were filling so fast and yet there were only a few packets actually in them. When I listened to pflog0 I found 1000s of dhcp server broadcasts that were being blocked as par my ruleset (block that which I didn't request.) I analyze my logs by the following: tcpdump -ttt -n -e -r /var/log/pflog
Yet the dhcp from port 67 to port 68 messages don't appear in my tcpdump of the log. The rule I ended up adding to stop the blocking of the packets is the following: pass in quick on xl0 proto udp from 10.33.160.1 port 67 to any port 68 But for some reason the tcpdump doesn't show the packets in /var/log/pflog Is this a bug or am I confused or doing something improperly? -quel
