Kerberos SSH routing tables problem

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos SSH routing tables problem

Predrag Punosevac-2
Hi Misc,

I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
our remote location

ubnt1# uname -mrsv
OpenBSD 6.5 GENERIC.MP#0 octeon

The desktops behind the firewall have to use Kerberised SSH to perform
some work on one of .mil servers. I opened egress ports kerberos,
klogin, kshell TCP protocol as well as kerberos UDP. After the work is
finished and desktops are "logged out" routing tables (dns) are in a bad
state on the firewall. A simple

pfctl -F all -f /etc/pf.conf

fixes the problem and desktops can again do DNS resolving and surfing
the Internet.

Could somebody give me a head start how to go about further trouble
shooting and fixing the problem? Obviously flashing states is not very
convenient.

Most Kind Regards,
Predrag Punosevac

Reply | Threaded
Open this post in threaded view
|

Re: Kerberos SSH routing tables problem

Byte Skeptical
Ran into a similar issue on my ERL when I used egress in my pf rules.
Ended up trunking the ethernet ports using aggr(4) and switched to using
that interface in my rules, got failover as a bonus. Still not sure why
egress behaves this way and if its a bug or my own misunderstanding.
Running OpenBSD 6.5-current (GENERIC.MP). If this doesn't apply to your
situation apologies and disregard.

On Mon, Jul 29, 2019 at 03:05:14PM -0400, Predrag Punosevac wrote:

>Hi Misc,
>
>I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
>our remote location
>
>ubnt1# uname -mrsv
>OpenBSD 6.5 GENERIC.MP#0 octeon
>
>The desktops behind the firewall have to use Kerberised SSH to perform
>some work on one of .mil servers. I opened egress ports kerberos,
>klogin, kshell TCP protocol as well as kerberos UDP. After the work is
>finished and desktops are "logged out" routing tables (dns) are in a bad
>state on the firewall. A simple
>
>pfctl -F all -f /etc/pf.conf
>
>fixes the problem and desktops can again do DNS resolving and surfing
>the Internet.
>
>Could somebody give me a head start how to go about further trouble
>shooting and fixing the problem? Obviously flashing states is not very
>convenient.
>
>Most Kind Regards,
>Predrag Punosevac
>
--
Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it.

signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos SSH routing tables problem

Stuart Henderson
In reply to this post by Predrag Punosevac-2
On 2019-07-29, Predrag Punosevac <[hidden email]> wrote:

> Hi Misc,
>
> I am using Edgerouter lite as a firewall/DNS cashing resolver for one of
> our remote location
>
> ubnt1# uname -mrsv
> OpenBSD 6.5 GENERIC.MP#0 octeon
>
> The desktops behind the firewall have to use Kerberised SSH to perform
> some work on one of .mil servers. I opened egress ports kerberos,
> klogin, kshell TCP protocol as well as kerberos UDP. After the work is
> finished and desktops are "logged out" routing tables (dns) are in a bad
> state on the firewall. A simple
>
> pfctl -F all -f /etc/pf.conf
>
> fixes the problem and desktops can again do DNS resolving and surfing
> the Internet.
>
> Could somebody give me a head start how to go about further trouble
> shooting and fixing the problem? Obviously flashing states is not very
> convenient.
>
> Most Kind Regards,
> Predrag Punosevac
>
>

Can you go into some more details about what the "bad state" is?

"routing tables (dns) are in a bad state on the firewall" doesn't
explain much (and doesn't really make sense, dns has nothing to do with
routing tables..)