On Sat, 27 Mar 2010 13:09 +0100, "Peter N. M. Hansteen" <pe...@bsdly.net> wrote: > Kabayan <kab4...@yahoo.com> writes: > > > Problem solve after I restart pflogd > > New problem is Why the pflogd process almost use 100% capacity of my /var ? > > My guess would be that your pf.conf logs traffic with log (all) on at > least one rule that matches a lot of traffic, and possibly your > newsyslog.conf does not implement a very aggressive log rotation > schedule. > > Logging all packets is not all that useful unless you're deep in > debugging something.
I occasionally log packets that pf blocks (just to see who is poking around). Normally, that's about 100K per hour and only 4 old logs are kept so a small /var is OK most of the time. Then one day, some new network gear was installed that messed-up the layer 2 bridging and introduced a loop and STP stopped working. From that came a huge broadcast storm. pf logs filled up a 4GB /var in 3 minutes. I've never seen that many packets in that short amount of time. I still log pf blocks and 99% of the time, it's OK. Brad
