Matching Log Data To Your Rule Set

pflog log data include rule number matched in the loaded rule set

$ sudo tcpdump -nettti pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
Sep 13 15:26:52.122002 rule 17/(match) pass in on epic0: 91.143.126.48.46618 > 194.54.103.65.22: [|tcp] (DF)
Sep 13 15:28:02.771442 rule 12/(match) pass in on epic0: 194.54.107.19.8025 > 194.54.107.18.8025: udp 50
Sep 13 15:28:02.773958 rule 10/(match) pass in on epic0: 194.54.107.19.8025 > 194.54.103.65.8025: udp 50
Sep 13 15:29:27.882888 rule 10/(match) pass in on epic0: 194.54.107.19.29774 > 194.54.103.65.53:[|domain]
Sep 13 15:29:28.394320 rule 12/(match) pass in on epic0: 194.54.107.19.29774 > 194.54.107.18.53:[|domain]

match to pfctl -vvsr output

$ sudo pfctl -vvsr
@0 scrub in all fragment reassemble
  [ Evaluations: 6116699   Packets: 3069556   Bytes: 646214426   States: 0     ]
  [ Inserted: uid 0 pid 2006 ]
@0 block return log all
  [ Evaluations: 102723    Packets: 2539      Bytes: 269448      States: 0     ]
  [ Inserted: uid 0 pid 2006 ]
@1 block return log quick from <bruteforce:1> to any
  [ Evaluations: 102723    Packets: 40        Bytes: 2384        States: 0     ]
  [ Inserted: uid 0 pid 2006 ]
@2 anchor "ftp-proxy/*" all
  [ Evaluations: 102683    Packets: 28044     Bytes: 22617668    States: 0     ]
  [ Inserted: uid 0 pid 2006 ]