Found a way. Seems to work, though probably not optimal. Used bits out of 'The book of PF, 2nd edition, HANSTEEN)'
If anyone can see improvements, I'd be interested.
Added new launch daemon
/Library/LaunchDaemons/pflog.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key> <string>pflog</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/pflog.sh</string>
</array>
<key>Disabled</key> <false/>
<key>RunAtLoad</key> <true/>
<key>KeepAlive</key> <true/>
</dict>
</plist>
...which runs the following new script:
/usr/local/bin/pflog.sh
#! /bin/sh
# bodged solution to absence of pflogd, ref 'Book of PF' p136
ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p local2.info
...which uses logger, the interface to syslogd, needing an update to its config file, ie adding a line to
/etc/syslog.conf
local2.* /var/log/pf.log
And finally, switched the pfctl lauch daemon to start fully enabled (rather than enable on demand, as it's set)
ie added the 'e' (enable) option to
/System/Library/LaunchDaemons/com.apple.pfctl.plist
<<< snip
<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-ef</string>
<string>/etc/pf.conf</string>
>>> snip
I should add that for the time being I've commented out Apple's default anchor rules in /etc/pf.conf (which will break AirDrop, possibly other stuff too) and am using my own rules. If I could see what rules would be used by Airdrop, I might leave them in. I guess I'll look into it if I need to.
