PF pf: Block all log or Block log all?

[iPodClassic]

I'm reading http://www.openbsd.org/faq/pf/filter.html and ran into this paragraph:

To create a default deny filter policy, the first filter rule should be:

block all

This will block all traffic on all interfaces in either direction from anywhere to anywhere.

Since rules are usually `pass in log` `block in log` I went ahead and assumed `block all log`, which seems is not right and it's actually `block log all`.

Based on :

Rule Syntax​

The general, highly simplified syntax for filter rules is:
action [direction] [log] [quick] [on interface] [af] [proto protocol]
[from src_addr [port src_port]] [to dst_addr [port dst_port]]
[flags tcp_flags] [state]

Is it because in this case 'all' would be source/dest and not really direction, right? So log comes first.
Might seem a noobie silly question but I'm trying to implement pf as 24/7 as possible (both on my Macbook and FreeBSD servers) and would like to understand the syntax as much as possible to learn to 'think in pf' so to speak.
Thanks in advance!

 

[VladiBG]

There's examples in the FreeBSD man pages of pf.conf(5)

# block and log everything by default
block return log on $ext_if all

 

[ShelLuser]

PF can be a little strict, but it's also rather casual with its syntax. Anyway, first things first: while the official documentation is always a good reference you should keep in mind that it might not include specific changes that apply to the FreeBSD version. So in this case... pf.conf(5) (edit: 8 had to be 5, silly me!) is probably a better pick. Well, that or maybe the FreeBSD handbook?

Either way... packet filtering... block or pass, in or out. Or quick. on, proto, from, etc.

Long story cut short, I use something like this:

block quick from <shlist>
block log on $net_if
block on $vnet_if

And of course, after this my optional allow rules take place.

 

[SirDice]

You don't want to block log all. Every packet is going to hit it, including the stuff you allow later on in the rule set.