Firewall logging is logging things that aren't supposed to be logged
I've got an odd issue. I've got a single firewall rule that is set to log. The rule is that when any machine not a part of a MailHosts alias tries to connect to port 25 on a non-local server, the connection is blocked and logged. I would expect then that the only entries in my firewall log would be those that are a machine connecting to a remote server on port 25.
Instead, I'm getting my logs filled with entries for a single system that is connecting via passive ftp to a remote server (one of mine), with destination ports > 50000.
The icon next to the log entry is the little green arrow, implying that the traffic is being logged but not blocked. When I click on the little arrow, it tells me "The rule that triggered this action is:" and then doesn't say anything.
Make sure your interface isn't in promiscuous mode, this can sometimes happen when you install some packages, often traffic monitoring/analysis packages.
In the shell you can run ifconfig, check the relevant interface doesn't have "PROMISC" in the flags section.
The ftp proxy logs allowed connections, that is likely what you are seeing in the log.