From 1a408365ab0a4917a228b0db50d7b20e385a1746 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 2 Aug 2025 18:22:42 +0000
Subject: [PATCH] pf: Log packets not allowed to go outside

---
 roles/pf/templates/pf.conf.gw_dna.j2 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2
index 56f19e9..46ddf60 100644
--- a/roles/pf/templates/pf.conf.gw_dna.j2
+++ b/roles/pf/templates/pf.conf.gw_dna.j2
@@ -81,12 +81,12 @@ pass out quick on $int_if from any to $int_net
 
 {% if intdomain == 'iot.foo.sh' %}
 # block ip's: 192-255 from iot network
-block in quick on $int_if from 172.20.27.192/26 to !$int_net
+block in log quick on $int_if from 172.20.27.192/26 to !$int_net
 
 {% endif %}
 # allow communication from internal to world
-pass in quick on $int_if from $int_net to !$int_net
+pass in log quick on $int_if from $int_net to !$int_net
 
 # drop rest
-block in quick log all
-block out quick log all
+block in quick all
+block out quick all