On Wed, Aug 6, 2014 at 3:20 PM, Chris McQuistion <[email protected]> wrote: > This is a weird problem. > > I get the daily logwatch emails from our various servers and one of the > things that I eyeball on a regular basis is the "Users logging in through > sshd". I like to make sure that I don't see any logins from IP addresses > that I don't recognize (as well as failed login attempts.) > > We changed our firewall about a week and a half ago, over to Untangle. This > has had no negative affect on any of the usual behavior except for one of > our servers, a database server running RHEL 5.X (64 bit, fully up to date.) > > On this one system, I'm now seeing the following line in it's daily Logwatch > email: > > 192.168.1.254 (firewall.watkins.edu): 2 times > > That IP address is the firewall, itself. The firewall is NOT actually > logging into this server. My Linux box at home is logging in via SSH, every > day, to run backups. In the past, and with every other server that I > remotely backup via SSH, every day, the Logwatch email reflects the IP > address of my cable modem at home. > > In this one case, this server shows 192.168.1.254 (the firewall) as the > source IP address instead of the "real" source IP address. > > Port forwarding to this server is set up exactly the same way as all the > other servers. The backup program I'm running at home (dirvish) connects to > this server, just like the other servers. > > The only variable that has changed is the firewall and possibly some > recently-run yum updates. The only unique thing about this server, is that > it is our only RHEL 5 server. We also have a RHEL 6 server and several > CentOS 5/6 servers. > > Any ideas?
I suspect a difference in how your firewall is set up to forward those packets. I'd look at the underlying iptables commands, not the frontend information. It sounds like the firewall is rewriting the source address on those packets. -- Tilghman -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
