[Honeywall] Honeywall setup on VMware Server

Fahim Abbasi mailtofahim at gmail.com
Mon May 19 07:55:51 EDT 2008


Hi All,

Im Fahim, working on deploying a Virtual Honeynet in my University.
After doing thorough literature reviews and studying various design
strategies implemented else where I decided to carry on a small
implementation ( a mock implementation of honeywall honeynet) on my
laptop

Moving towards the implementation phase I was trying to setup a
honeynet on my laptop with Vmware. Its up and running following the PK
Vmware Honeynet How To (
http://www.honeynet.pk/honeywall/roo/page2b.htm
)
. However, the honeywall doesnt seem to be logging anything :S life sux!

Im on linux FC8. vmware up and running. other details are:

I am able to ping nodes from honeypot to gw & access the walleye
interface via https fine. But Unfortunately honeywall doesnt seem to
log any activity - suggesting the bridge is being bypassed. More
details are povided in the conf below. The pk honeynet howto seems a
bit
confusing as I believe that since the honeypot is on vmnet1 segment
its not being routed through the bridge and thus snort and tcpdump on
both eth0 and eth1 interface of the honeywall cant see any traffic
except arp broadcasts. On eth2 i see packets arriving and being logged
as its the default GW for the honeypot.

Allowing outbound traffic from the honeywall i am able to ping both
the honeypot and host-eth0 from the honeywall. tcpdump on eth2 shows
the packets are being recieved from the honeypot, but they aint
getting forwarded to the host subnet .
please advise.

Another observation is that using vmnet1 ip as GW for the honeypot
(vm2-winxp) instead of eth2 of the honeywall Im able to ping Host Eth0
(192.168.1.1) but then again the honeywall's eth0 and eth1 port see no
traffic with tcpdump: please advise:

Design is as follows:

-HOST- ETH0 (192.168.1.1)
| |
| |
|
VM1-Honeywall-GW-(ETH0) BR (vmnet0)----VM1-Honeywall-GW-VM1(ETH1) BR (vmnet0)
VM1- Honeywall-GW -VMNET1 (172.16.72.200) -eth2
|
|
|
|
VMNET1 (172.16.72.1) - sw
|
|
VM2 - WINXP-(ETH0)(vmnet1)
IP 172.16.72.10
GW 172.16.72.200



Having some network experience, I some how cannot agree to the design
laid by the PK project ppl:
http://www.honeynet.pk/honeywall/roo/page2b.htm

1. They have showed eth0 and eth1 of honeywall as bridged & eth2
host-host in vmware conf, knowing that first two interfaces (eth0
and1) will again be bridged further by Honewall setup by default!
2. If its bridging between 2 different LAN segments, which seems the
correct way to go from bridge perspective (vmnet0 and 1) then does
that mean we have to assign a public IP to vmnet1 virtual sw? i.e we
would require 3 pub IPS
host-eth0(pubip)--->GW-ETH0-(BRIDGED)-HONEYWALL-ETH1(VMNET1-HOST
ONLY)------>vmnet1(pubip)---->VM-honeypot-eth0-(pubip)

Also checking status info, it seems that honeywall doesnt like this either:
"Invalid NIC: eth0 is not a valid network interface. specify another
device or check the status menu for a list of valid devices" -
honeywall conf mode and IP info menu
"Invalid NIC: eth1 is not a valid network interface. specify another
device or check the status menu for a list of valid devices" -
honeywall conf mode and IP info menu


 ##### V M W A R E
######################
At least one instance of VMware Server is still running.

Bridged networking on /dev/vmnet0 is running
Host-only networking on /dev/vmnet1 is running
Host-only networking on /dev/vmnet8 is running

NAT networking on /dev/vmnet8 is running
Module vmmon loaded
Module vmnet loaded

#### VM1 - NETWORK
########################

ETH0 ON /DEV/VMNET0
ETH1 ON /DEV/VMNET0
ETH2 ON /DEV/VMNET1 ( IM USING THIS AS MGMNT IP IS 172.16.72.200 GW IS
72.1 ---> WORKING FINE, INTERFACE ACCESSIBLE AND ALL )

#### HONEYPOT NETWORK
######################

WINXP-SP2 HONEYPOT
ETH0: 172.16.72.10
GW: .72.200

--------------- IFCONFIG ON HOST-----------------
-------------------------------------------------

eth0 Link encap:Ethernet HWaddr 00:19:D1:1E:C9:F6
inet addr:192.168.1.1 Bcast:172.16.72.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3567167 errors:0 dropped:0 overruns:0 frame:0
TX packets:12349627 errors:0 dropped:0 overruns:0 carrier:0
collisions:1 txqueuelen:1000
RX bytes:357326919 (340.7 MiB) TX bytes:1275014016 (1.1 GiB)
Interrupt:18 Base address:0xe800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:7836 errors:0 dropped:0 overruns:0 frame:0
TX packets:7836 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3135329 (2.9 MiB) TX bytes:3135329 (2.9 MiB)

vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
inet addr:172.16.72.1 Bcast:172.16.72.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:273 errors:0 dropped:0 overruns:0 frame:0
TX packets:112 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Please advise.

Thanks, Fahim


More information about the Honeywall mailing list