[Honeywall] Questions about update and process tree
rvmcmil at gmail.com
Tue Dec 11 08:39:00 EST 2007
On Dec 11, 2007, at 5:13 AM, Murielle Savary wrote:
> I'm a Swiss student and I'm currently running the honeywall Roo 1.2
> for my diploma. I have a few questions about this solution :
> 1) Which interface is used by the honeywall to update himself or to
> download the snort rules update? It seems like it uses eth2 but the
> default firewall rules block all traffic. I have found nothing in
> the documentation, and all my tries has been unsuccessful. Is there
> a way to make it uses the Internet connection from eth0 ?
It does use eth2 as its way to the internet as long as a valid
default gateway and dns servers were specified during configuration of
the management interface. If you use either the dialog menu or the
web interface to reconfigure the management interface, you can make
sure these variables are set properly for your network to ensure
internet connectivity. You will also need to verify that either you
remove the restriction of outbound internet connectivity, or you add
the outbound ports you feel necessary for your honeywall.
1. as root, type menu to enter the menu dialog.
2. select Honeywall Configuration
3. select Remote Management
4. select Managment IP and verify.
5. select Management Netmask and verify.
6. select Management Gateway and verify.
7. select DNS Servers and verify.
8. select Restrict Honeywall Outbound Traffic (this is probably what
is preventing you from going to the internet if all the previous
management settings are set properly)
a. If you select yes.
i. select Honeywall Allowed Outbound TCP and fill in the
ports you want to be able to reach.
ii. select Honeywall Allowed Outbound UDP and fill in
the ports you want to be able to reach.
b. If you select no, the honeywall will have unlimited access
to the internet.
1. System Admin tab
2. Honeywall Configuration
3. Remote Management. The items here should be self explanatory and
should resemble what the dialog describes above.
> 2) I have been trying to use sebek to gather a process tree, but it
> doesn't display anything. I know for sure that my honeypot has been
> cracked (it does some weird things), so I would like to know if this
> problem come from my configuration or it's just because there is no
> process tree to see... What I don't understand is that there is some
> data in the table named "process tree" in mysql, but nothing shows
> up in the web interface.
We recently uploaded some fixes to the honeynet repository for hflow
and walleye. Once you allow your honeywall to access the internet,
you need to do a yum update to get these fixes.
> Thanks for your help,
Please let us know if you come across any issues. We are trying to
improve the honeywall and will shortly be telling the list where we
are heading with it in the foreseeable future.
Hope this helps,
More information about the Honeywall