[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf and gconfd-2



Perhaps I shouldn't be trying to using X on a system that I want really
secure. Perhaps I shouldn't be asking questions about pf and problems
with X-based apps. But...
I am using pf on FreeBSD RELENG_5_4. usually I run with securelevel=2,
and the following question is irrelevent. However, sometimes : ) I like
to pop up a gnome-session.
When I do, with my pf firewall enabled, the X server starts, but the
various apps don't start properly; the screen never gets past the
initial "Starting Gnome... splash screen. 
There is a problem accessing the ~/.gconfd-<username>, and this is the
relevent entry in /var/log/messages :
Sep 24 09:21:46 H2O gconfd (admin-556): Failed to get lock for daemon,
exiting:
Failed to lock '/var/tmp/gconfd-admin/lock/ior': probably another
process has the lock, or your operating system has NFS file locking
misconfigured (Resource temporarily unavailable)
The suggestion hinted at by the error is NFS-related but I don't think
this is actually
true.
If I disable pf, the gnome-session starts normally.
Can anyone suggest how I might relax my firewall rules to permit correct
operation of gconfd-2? 
btw. If someone can help it means the door to a really secure, GUI
capable BSD desktop is wide open. Portsentry watches a handful of ports
for common scans; adding to a pf table. Anything that gets through pf
will examined with snort, and (you'll like this) I'm working on using
bmf to build rules for snort, and when statistically prudent add pf
rules via snort2pf or a suitable script. 
Unifex
[email protected]
-- 
  Aluminium Oxide
  [email protected]
-- 
http://www.fastmail.fm - IMAP accessible web-mail