If you wonder why something is not being logged, just run
tcpdump on the interface the traffic is going through.
If I have to debug a firewall with an external and internal NIC, I usually ssh in to the box from my X workstation. In each ssh session I run tcpdump.
- On the external interface
- On the internal interface
Code:
# tcpdump -ni bge0 not port ssh
Note the 'not port ssh' filter, to prevent pollution of the tcpdump output with my own ssh traffic.
- On the pflog device
Code:
# tcpdump -eni pflog0