The pf plugin gathers information from the FreeBSD/OpenBSD pf firewall. Currently it can retrieve information about the state table: the number of current entries in the table, and counters for the number of searches, inserts, and removals to the table.

The pf plugin retrieves this information by invoking the pfstat command. The pfstat command requires read access to the device file /dev/pf. You have several options to permit agent to run pfctl:

  • Run agent as root. This is strongly discouraged.
  • Change the ownership and permissions for /dev/pf such that the user agent runs as can read the /dev/pf device file. This is probably not that good of an idea either.
  • Configure sudo to grant cua to run pfctl as root. This is the most restrictive option, but require sudo setup.

Using sudo

You may edit your sudo configuration with the following:

cua ALL=(root) NOPASSWD: /sbin/pfctl -s info


  # use sudo to run pfctl
  use_sudo = false