On an OBSD 3.2, on the pflog i have seen something like:
<some date .....> rule 6/0(match): block in on rl0: xx.xx.xx.xx.pp > yy.yy.yy.yy.1424: udp 376 [ttl 1]
it's obvious this is a scan of the "MS-SQL Worm", but i don't understant that the ip (yy.yy.yy.yy) its not the ip of my server, and the ip (xx.xx.xx.xx) is an ip of a computer on the same subnet.
if the destination ip is not my server ip, how can my server block it ?
pf will drop any traffic it sees, if you tell it to. Your server did receive that packet in on rl0. It may not have routed it anyway, just ignored it, but pf got to see it first and chose to drop it.
As for why it was received, perhaps rl0 is a shared link, and that was sent as a broadcast packet for the link? A cable line might behave that way.
