I set up a CHR server some time ago that was meant to be a firewall.
The performance and feature set in the end were worse than the firewall I normally use, so I stuck with it.
However, since my firewall doesn’t have a GUI and I needed a DHCP server, and maybe a new RADIUS server, I kept CHR as a DHCP server.
Today while diagnosing something about email, I noticed CHR was attempting to make SSH connections to my email gateway. I noticed in the CHR logs before failed attempts to connect to itself, but since it’s multihomed and it has two interfaces in the same subnet (two NICs, one a VLAN trunk with all the interfaces, the other NIC it’s on one VLAN only as a safety for lockouts), I just figured it was discovering itself or something.
The firewall has the IP forwarding setting disabled since it became a DHCP server, so it is generating the connections on its own, and just in case I created a high priority to block forwarding but it kept trying.
I don’t remember which and what directions DHCP works in or if it’s handled by the stateful filter (automatically allowed to respond), so I created two more rules one allowing UDP traffic on 67 and 68, and one last rule rejecting all outbound traffic.
Shortly after I got some OSPF updates and the log just stopped. Finally.
How can I check running processes, sockets all that to confirm. Maybe take a sample to submit it (and where)?
Still counts. 
