Unexpected rule can be displayed when looking up filter log entry with multiple matching rules
When using Port aliases, in the firewall log, when clicking on 'action' the triggering port seems to always be the first of the list.
As for the images, the triggering port is the 21, the port shown in 'detail' is 1001
the port list goes something like: 1001, 21, ...
#1 Updated by Jim Pingle almost 2 years ago
That's a side effect of how pf parses and reports the rules.
We write out the rule just once with a tracking ID in rules.debug, pf parses it and internally makes three separate rules, all with the same tracking ID.
It might be possible to fuss with the matching to make it print the expected port number there but I'm not certain it would be worth the effort.