The /etc/periodic/security/520.pfdenied script produces a line of output for all lines in the PF file, not just those that cause a deny to happen. Fix: Basically, only print the line if the 5th field isn't empty.
A commit references this bug: Author: lidl Date: Thu Nov 5 17:37:15 UTC 2015 New revision: 290405 URL: https://svnweb.freebsd.org/changeset/base/290405 Log: Restrict 520.pfdenied to only list rules that blocked traffic. Before this change, the 520.pfdenied script listed all rules that matched /^block/ in the rule. Restrict the printed output to only those rules that result in packets being dropped. PR: conf/187224 Approved by: rpaulo (mentor) Differential Revision: https://reviews.freebsd.org/D4068 Changes: head/etc/periodic/security/520.pfdenied