So I've seen some of the documentation on binding the 3 honeywall
interfaces to 3 physical interfaces as well as
http://www.honeynet.org.pk/honeywall/roo/page2b.htm which shows how to
run the attacker, honeywall and honeypots all within VMWare, but I'm
still running into some issues with bridging. I'm using GSX Server
3.2.1 (also tried VMWare Server Beta)
Host - Debian Sarge
----------------------------
eth0 - interface up, no IP assigned -- this is what I want the exposed
interface to be
eth1 - management interface for host / tunnel GSX console over SSH
Honeywall (Roo-VMWware)
--------------------------------------
eth0 (bridge in) - bridged
eth1 (bridge out) - I've tried both host-only and custom (vmnet3) and
I'm confused why http://www.honeynet.org.pk/honeywall/roo/page2b.htm
says this should be another bridged interface, I tried that too but I
got a nasty ARP storm then sent honeyall cpu to 20-30 :)
eth2 - NAT or another host-only ( or whatever) will do SSH forwarding
for walleye through host management interface
Honeynet (Debian Sarge)
--------------
eth0 - host only
eth1 - NAT - just used for upgrading packages, was down when trying to
get it working...
So I assign eth0 on honeynet to one of my public IPs and ping from
another public IP my other public IP interface is plugged into a hub
that eth0 on the host is plugged into.
On the honeywall -- I see the ARPs go in eth0 and out eth1 (and
also on br0, obviously)
On the honeynet -- I see the ARP request and the honeynet sends the
ARP reply back
But I never see the ARP reply come back through on honeywall eth1.
Interesting enough, I happened to sniff on host vmnet3 (custom) and
saw them there).
interfaces to 3 physical interfaces as well as
http://www.honeynet.org.pk/honeywall/roo/page2b.htm which shows how to
run the attacker, honeywall and honeypots all within VMWare, but I'm
still running into some issues with bridging. I'm using GSX Server
3.2.1 (also tried VMWare Server Beta)
Host - Debian Sarge
----------------------------
eth0 - interface up, no IP assigned -- this is what I want the exposed
interface to be
eth1 - management interface for host / tunnel GSX console over SSH
Honeywall (Roo-VMWware)
--------------------------------------
eth0 (bridge in) - bridged
eth1 (bridge out) - I've tried both host-only and custom (vmnet3) and
I'm confused why http://www.honeynet.org.pk/honeywall/roo/page2b.htm
says this should be another bridged interface, I tried that too but I
got a nasty ARP storm then sent honeyall cpu to 20-30 :)
eth2 - NAT or another host-only ( or whatever) will do SSH forwarding
for walleye through host management interface
Honeynet (Debian Sarge)
--------------
eth0 - host only
eth1 - NAT - just used for upgrading packages, was down when trying to
get it working...
So I assign eth0 on honeynet to one of my public IPs and ping from
another public IP my other public IP interface is plugged into a hub
that eth0 on the host is plugged into.
On the honeywall -- I see the ARPs go in eth0 and out eth1 (and
also on br0, obviously)
On the honeynet -- I see the ARP request and the honeynet sends the
ARP reply back
But I never see the ARP reply come back through on honeywall eth1.
Interesting enough, I happened to sniff on host vmnet3 (custom) and
saw them there).
Any ideas?
Thanks,
- mdf
--
Matthew Franz
http://www.threatmind.net
[ reply ]