PF firewall dumps the logs (by default) to /var/log/pflog file which, depending on your packet filter rules and your traffic, can get to 100MB in size in just a few hours. (make your rules with pass in log-all or pass in log to have PF logging all or just first occurance of that rule for each host). This will certainly lead to your /var filesystem full very often.

I was in a similar situation today (after 2 months pflogfile was getting, again very large on one of my gateways). 

$ df -h /var Filesystem     Size    Used   Avail Capacity  Mounted on /dev/ad0s1e    248M    245M    -18M   108%    /var

Although I get hourly alerts on my email I was here a little too late I could say.

After searching the filesystem for the largest files (see How to find the largest 10 files in a filesystem) I saw that pflog file was getting close to 96MB (huuuge).

$ du -h /var/log/pflog 96M    /var/log/pflog

This can be easily fixed by doing two things: empty pflog file and restarting pflog processes / delete and touch pflog and restart pflog processes (in case you need to keep /var/log/pflog you'll need to move/archive it and store it somewhere safe. I didn't need it so I removed it's contents):

I used the first option:

Empty pflog file

$ >|/var/log/pflog $ df -h /var Filesystem     Size    Used   Avail Capacity  Mounted on /dev/ad0s1e    248M    245M    -18M   108%    /var

You can see above that it is not enough to empty it's contents. Df command still reports the filesystem full and /var/log/pflog file is still empty. Pflogd didn't start dumping the logs inside it.

Get the PIDs of pflogd daemon and kill -HUP

$ ps ax | grep -v grep | grep pflog   221  ??  Is     0:00.01 pflogd: [priv] (pflogd)   226  ??  S      8:29.79 pflogd: [suspended] -s 116 -f /var/log/pflog (pflogd) $ kill -HUP 221 226 $ df -h /var Filesystem     Size    Used   Avail Capacity  Mounted on /dev/ad0s1e    248M    151M     77M    66%    /var

kill -HUP sends a signal to the specified daemon(pflogd in this case) to re-read it's config files (including where to dump the logs: /var/log/pflog and after that df command shows a normal utilization of the filesystem (also, pflogd started to dump the logs in /var/log/pflog).

The above step could have been performed with one command: 

$ for i in `ps ax | grep -v grep | grep pflog | awk '{print $1}'`; do kill -HUP $i; done

Comments are welcome.

Bookmarks:

Echo "Freebsd - /var filesystem full because of pflog file" around:

-------------------advertising-----------------