[Honeywall] Re: Honeywall Digest, Vol 13, Issue 12

Bjoern Weiland bjoern.weiland at rz.uni-karlsruhe.de
Mon Jun 16 10:43:39 EDT 2008


> _Honeypots_:
> 
>     * Windows honeypot: 192.168.100.10 <http://192.168.100.10> (a
>       default gateway is eth1:192.168.100.1 <http://192.168.100.1>)
>       (with IIS web server  installed )
>     * Linux honeypot: 192.168.100.20 <http://192.168.100.20> (a default
>       gateway is eth1:192.168.100.1 <http://192.168.100.1>) (with apache
>       web server installed)

Misconception! eth1 (of honeywall) will not have an IP. Use your normal 
gateway of the Honeypot LAN's subnet

> _Honeywall:_ with three interfaces:
> 
>     * internal interface eth1 (with host only mode): 192.168.100.1
>       <http://192.168.100.1>
>     * external interface eth0 (with bridge mode): 10.0.1.30
>       <http://10.0.1.30>

There should be no IP on these virtual interfaces!

HowTo:
In Vmware, create 3 virtual adapters in the following order (The order 
seems to be important):
1) bridged to the interface that is connected to the Honeypot LAN (this 
will be taken over by honeywall as eth0)
2) host-only (eth1)
3) bridged to the interface that is connected to the mgmt LAN (eth2)

Then install honeywall and configure. It will autmatically bridge eth0 
and eth1, therefore, these interfaces will have no IP and will belong to 
the same network. Configure your honeypot to have an IP of the 
corresponding honeypot LAN (not the mgmt LAN). This is the IP an 
attacker will attack. The gateway should be located in this LAN as well.

  -best regards, bjoern


More information about the Honeywall mailing list