I also don't understand how this is possible.But I don't think it is the complete rule set
The simplest way to find out what gets blocked is to use something like
block log (all)
pf.conf(5) describes the other options for logging:
Code:
log (all | matches | to interface | user)
The keywords all, matches, to, and user are optional and can be
combined using commas, but must be enclosed in parentheses if
given.
Use all to force logging of all packets for a connection. This
is not necessary when no state is explicitly specified.
If matches is specified, it logs the packet on all subsequent
matching rules. It is often combined with to interface to avoid
adding noise to the default log file.
The keyword user logs the UID and PID of the socket on the local
host used to send or receive a packet, in addition to the normal
information.
You could experiment with those.