On 2021-07-08, Cameron Simpson <[email protected]> wrote: > On 07Jul2021 10:59, Pierre Dupond <[email protected]> wrote: >> I am setting up a firewall with PF. The strategy used is quite >> common: >> set block-policy return >> set loginterface none >> set skip on lo0 >> match in all scrub (random-id reassemble tcp) >> block log > > I think this sets _both_ block and log as the packet acceptance state. > _Not_ "log if I block" i.e. a pass rule will still log.
That's not the case, "match log" would do that, log on a block or pass rule only applies if that rule itself is matched.
