From owner-freebsd-pf@FreeBSD.ORG Wed Nov 14 16:38:13 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5086616A419 for ; Wed, 14 Nov 2007 16:38:13 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from hydra.rus.uni-stuttgart.de (hydra.rus.uni-stuttgart.de [129.69.1.55]) by mx1.freebsd.org (Postfix) with ESMTP id 07DC513C465 for ; Wed, 14 Nov 2007 16:38:12 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from localhost (localhost [127.0.0.1]) by hydra.rus.uni-stuttgart.de (Postfix) with ESMTP id DABD2351B3 for ; Wed, 14 Nov 2007 17:20:16 +0100 (CET) X-Virus-Scanned: by amavisd-new at hydra.rus.uni-stuttgart.de X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from hydra.rus.uni-stuttgart.de ([127.0.0.1]) by localhost (hydra.rus.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 19WROo0QNoc5 for ; Wed, 14 Nov 2007 17:19:43 +0100 (CET) Received: from mail.casino.uni-stuttgart.de (dame.casino.uni-stuttgart.de [141.58.158.2]) by hydra.rus.uni-stuttgart.de (Postfix) with ESMTP id 5C179366A4 for ; Wed, 14 Nov 2007 17:19:36 +0100 (CET) Received: from [127.0.0.1] (herr.casino.uni-stuttgart.de [141.58.158.1]) by mail.casino.uni-stuttgart.de (Postfix) with ESMTP id E2436340520 for ; Wed, 14 Nov 2007 17:19:35 +0100 (CET) Message-ID: <473B2006.8050000@casino.uni-stuttgart.de> Date: Wed, 14 Nov 2007 18:19:18 +0200 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: How to prevent FS overflow due to excessive logging? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 16:38:13 -0000 Hi all, we have a default policy that logs all dropped packets. Accordingly, I have carefully adjusted my newsyslogd configuration and made sure there is plenty of space in /var/log. Today, one of our computers started sending out UDP packets to a certain (seemingly unknown) IP address, port 7800. And it sent many of them - about 2 million within one hour. This led to a 3 GIG pflog file and of course made our file system overflow. We are currently figuring out what that was, but there is another question that boggles me: how do I prevent such file system overflows in the future? With conventional syslogd logging, syslogd will not print out lines that are excessive repetitions of previous lines. Is there a way to make PF not log excessive repetitions? I do not want to disable UDP logging generally - after all I want to be told when things like this happen. Regards Tobias -- Universität Stuttgart|Fakultät für Architektur und Stadtplanung|casinoIT 70174 Stuttgart Geschwister-Scholl-Straße 24D T +49 (0)711 121-4228 F +49 (0)711 121-4276 E office@casino.uni-stuttgart.de I http://www.casino.uni-stuttgart.de