- About Us
At first glance, it does look cumbersome, and the PF syntax does look cleaner. However, a further review of the iptables man page gives me some insight as to perhaps why they did it this way. Apparently you can choose to log more than just the fact that the packet matched the rule. You can also log the UID of the process that generated the packet (this of course presumes that the packet originated locally--good for things like LTSP servers). You also apparently can log at different syslog levels per individual rule; I'm not aware that PF can do this. There are a couple other things that could prove handy as well, stuff that I could see myself using at work. If anything, this is taking "logging every rule independently" to the next level.
So, yes, you do need to make two rules (the rule for blocking/allowing, and the rule for logging). But you do gain some additional useful flexibility.