pfsense, suricata and RAM disk

How-To May 01, 2020

Running pfsense on SSD requires moving /tmp and /var to memory to reduce the wear of the disk.

When I originally set up pfsense, the amount of memory I have allocated for these folders was the proposed 40MB for /tmp and 60MB for /var. All was good until this morning when no DNS query was resolved.

I took a quick look at services and found the unbound service stopped. Starting it didn't work. Apparently, there was a file missing:
/var/unbound/test/unbound_server.pem no such file or directory

Mmm, /var... Now I remembered installing suricata a few days ago, and it is known for the quantity of logs it produces. So returning to the pfsense dashboard confirmed: /var was at 101%!

I then quickly increased the memory allocated for /var and rebooted pfsense. It's all good now, unbound started! And after ssh to the firewall, found that the http.log in /var/log/suricata/suricata_igb05224 was at 21MB.

19643 20800 -rw-r--r--  1 root  wheel  21252222 May  1 11:06 http.log
19642     4 -rw-r--r--  1 root  wheel      1832 May  1 11:05 alerts.log
19641     4 -rw-r--r--  1 root  wheel      2999 May  1 10:59 suricata.log
19645     4 -rw-r--r--  1 root  wheel      4096 May  1 10:58 sid_changes.log
19644     0 -rw-r--r--  1 root  wheel         0 May  1 10:38 stats.log

Same story in the folder of the second network interface. I quickly removed the two files.

Going to Services/Suricata/Logs Management I have now checked Enable Directory Size Limit and set it's size to 24MB. As I mentioned before, I have also increased the /var RAM Disk to 200 since the system has 8GB of RAM and it's mostly unused.

Check the other files in /var/log just to be sure. And keep an eye on the /var size from now on.

Radu

Since there's no place like 127.0.0.1, I try my best to keep it up to date and add network services using various (mostly old and cheap) network devices.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.