[Honeywall] Questions about update and process tree

Robert Mcmillen rvmcmil at gmail.com
Tue Dec 11 08:39:00 EST 2007


Murielle,

On Dec 11, 2007, at 5:13 AM, Murielle Savary wrote:

> Hello,
>
> I'm a Swiss student and I'm currently running the honeywall Roo 1.2  
> for my diploma. I have a few questions about this solution :
>
> 1) Which interface is used by the honeywall to update himself or to  
> download the snort rules update? It seems like it uses eth2 but the  
> default firewall rules block all traffic. I have found nothing in  
> the documentation, and all my tries has been unsuccessful. Is there  
> a way to make it uses the Internet connection from eth0 ?

It does use eth2 as its  way to the internet as long as a valid  
default gateway and dns servers were specified during configuration of  
the management interface.  If you use either the dialog menu or the  
web interface to reconfigure the management interface, you can make  
sure these variables are set properly for your network to ensure  
internet connectivity.  You will also need to verify that either you  
remove the restriction of outbound internet connectivity, or you add  
the outbound ports you feel necessary for your honeywall.

dialog:

1.  as root, type menu to enter the menu dialog.
2.  select Honeywall Configuration
3.  select Remote Management
4.  select Managment IP and verify.
5.  select Management Netmask and verify.
6.  select Management Gateway and verify.
7.  select DNS Servers and verify.
8.  select Restrict Honeywall Outbound Traffic (this is probably what  
is preventing you from going to the internet if all the previous  
management settings are set properly)
       a.  If you select yes.
             i.  select Honeywall Allowed Outbound TCP and fill in the  
ports you want to be able to reach.
             ii.  select Honeywall Allowed Outbound UDP and fill in  
the ports you want to be able to reach.
       b.  If you select no, the honeywall will have unlimited access  
to the internet.

web interface:

1.  System Admin tab
2.  Honeywall Configuration
3.  Remote Management.  The items here should be self explanatory and  
should resemble what the dialog describes above.


> 2) I have been trying to use sebek to gather a process tree, but it  
> doesn't display anything. I know for sure that my honeypot has been  
> cracked (it does some weird things), so I would like to know if this  
> problem come from my configuration or it's just because there is no  
> process tree to see... What I don't understand is that there is some  
> data in the table named "process tree" in mysql, but nothing shows  
> up in the web interface.

We recently uploaded some fixes to the honeynet repository for hflow  
and walleye.  Once you allow your honeywall to access the internet,  
you need to do a yum update to get these fixes.

> Thanks for your help,
>
> Murielle

Please let us know if you come across any issues.  We are trying to  
improve the honeywall and will shortly be telling the list where we  
are heading with it in the foreseeable future.

Hope this helps,

Rob


More information about the Honeywall mailing list