/var filling up

xray_man

First off, I am a linux/freebsd noob.  
Secondly, I installed 2.1 on an SSD using the 2 gig i386 image.  I followed the instructions using physGUI.

I was able to get my network up and running.  Very satisfied with my hardware configuration until…

My network was not working.  No traffic could get in or out.  I had about 6 packages installed.  I rebooted the system and an error about /var being full on the console.  Since then, 2 more times I have had the same issue of my network not working.  I have uninstalled some packages and it seems to not fill up as fast.  Both times I rebooted and it worked.  After rebooting, my /var is at 33%.  If I check back in an hour, it goes up.

Currently:
$ df
Filesystem        512-blocks   Used   Avail Capacity  Mounted on
/dev/ufs/pfsense0    3780028 474695 3002931    14%    /
devfs                      2      2       0   100%    /dev
/dev/ufs/cf           101055   4258   88713     5%    /cf
/dev/md0               78812    520   71988     1%    /tmp
/dev/md1              118492  41536   67480    38%    /var
devfs                      2      2       0   100%    /var/dhcpd/dev

First off, is the /var directory the culprit?  Secondly, can I do anything to keep it under control?

Thanks,

Ken

kejianshi

This is bad for lots of reasons.  I doubt that little SSD of your can take many write cycles before crashing.
Do you run squid?  Do you use logs?

zenny

@xray_man: You cannot do anything except to disable log, but that defeats the purpose of a firewall.

In that case, there are two options:

Option 1: Add an HDD to the unit (external or internal, does not matter) and mount it either as ufs slice or zpool. And mount /var/log to that device.

Option 2: Create a separate logging server and route all logs to that remote server. Go to Services >> System Logs >> Settings >> Remote Logging Options.

Hope this helps.

PS: Logging to CF depletes its life faster which you already know. ;-)

wallabybob

@xray_man:

Secondly, I installed 2.1 on an SSD using the 2 gig i386 image.  I followed the instructions using physGUI.

Sounds like the nanoBSD based version of pfSense which is intended for environments where you want to minimise disk writes.

@xray_man:

I had about 6 packages installed.

Which packages? Not all packages are suitable for the nanoBSD environment. For example, you probably don't want to run squid as a web cache because its likely to want to write lots of data to the hard drive.

How big is the SSD? Why did you choose to install the nanoBSD variant rather than the "full" variant?

@kejianshi:

I doubt that little SSD of your can take many write cycles before crashing.

Writes shouldn't be a concern with the nanoBSD variant. Note /var is mounted on a "memory disk" (/dev/md1), an indicator this is a NanoBSD install.

kejianshi

I see.  I stand corrected.  Still I do feel the problem is most likely squid and logs (although he hasn't said if he is using it).
I think you can run squid but have to make the memory it uses small and the disk it uses either very small or non-existent.
Personally, I'm of the opinion most people will be happier with a full install on a bigger rig than something small.
Guess it depends on needs.

zenny

@kejianshi:

I see.  I stand corrected.  Still I do feel the problem is most likely squid and logs (although he hasn't said if he is using it).
I think you can run squid but have to make the memory it uses small and the disk it uses either very small or non-existent.
Personally, I'm of the opinion most people will be happier with a full install on a bigger rig than something small.
Guess it depends on needs.

As for me, I am always in favour of separation of base OS installation with the additional bells and whistles including log files. It is a safe practice to log everything to another system, in case of any cracking that can take place. So like I suggest in above post, it can be achieved either by adding a HDD to mount the memory device to HDD or log to a separate logging server (the best practice I do and recommend). ;-)

kejianshi

It is a good idea, but he didn't seem like the remote logs server type (-:  I could be wrong. 
Seriously, 99% of people who would put a regular HD in a PFsense box would just do a full install on that HD and be done with it.

phil.davis

/dev/md0               78812    520   71988     1%    /tmp
/dev/md1              118492  41536   67480    38%    /var

These 2 partitions are running in a memory disk. So they are not filling your real disk (and not writing/wearing out any real disk). You can adjust the size of these memory disks - System, Advanced, Miscellaneous, RAM Disk Settings section. If you have enough free real memory then increasing the size of these memory disks is possible.
Most of the built-in pfSense logs are circular, so they do not grow bigger over time, old log entries just disappear and new ones come.
I presume some package is writing output somewhere in /var - you will need to find out what that is and stop/control it. Go looking in /var for big things.
What packages are running?

zenny

@kejianshi:

It is a good idea, but he didn't seem like the remote logs server type (-:  I could be wrong. 
Seriously, 99% of people who would put a regular HD in a PFsense box would just do a full install on that HD and be done with it.

Yes, that is fine if you use pfSense just as a simple firewall and router, but if someone uses services for penetration prevention like snort, squid+squidguard, HAVP and others, a huge logging partition is needed to figure out intrusion detection. Mere a simple firewall and router can be run from a floppy disk, still, but pfSense I guess has a larger scope. Just my two cents.