BSD PF Firewall: Displays Active Packetfilter States And Rules

Q. How do I view active connections with PF firewall under FreeBSD / OpenBSD UNIX operating system?

A. You need to use pftop command which displays the active packetfilter states and rules, and periodically updates this information. It provides a "top" like view of the PF state table.

Install pftop

pftop can be installed from the FreeBSD / OpenBSD ports collection, or downloaded from the pftop website. Under FreeBSD type the following command to update ports and install the latest version:
# portsnap fetch update
# cd /usr/ports/sysutils/pftop
# make install clean

Start pftop

pftop displays source and destination IP addresses, TCP and UDP port numbers, packets and bytes transmitted, the age of a connection, and the time left until a connection will be removed from the state table:
# pftop
Sample output:

Fig.01: pftop in action (click to enlarge)

To exit press q. Following commands are currently recognized:

c	Enable disable state caching (enabled by default).
f	Set the state filter expression.
h,?	Display a summary of the commands (help screen).
n	Set number of lines to display.
o	Select next sorting Order.
p	Pause/resume display updates.
q	Quit pftop.
r	Reverse current sorting order.
s	Set display update interval in Seconds.
v	Select next View.
0-7	Select one of the views directly.
Cursor	Scroll display (up/down), and switch views (left/right). Most of the emacs/mg motion keys work as well.
SPACE	Update display immediately.
CTRL-L	Refresh display.
CTRL-G	Clear command entry line.