Logging

Keyword "log" in the rules to be logged

/etc/pf.conf

pass out log from <client> to port $email \
     label client-email keep state

Logs in binary, tcpdump(8) readable format

NOTE: log logs only initial packet, use log (all) to log all matching packets

OpenBSD 4.1 onwards: cloneable pflog, rules can log to specific interface:

pass log (all, to pflog2) inet proto tcp from $mailserver \
     to port smtp 

pflog interfaces created with ifconfig pflogN create or ifconfig pflogN up