Honeyd - why this behavior

["Ivan Esteban Rivera Uria" <irivera () bnc-corp com>]

I don´t know why honeyd has the following behavior.

I make my configuration file like this:

--># templates
-->create default
-->set default default tcp action block
-->set default default udp action block
-->
-->
-->
--># windows
-->create windowsxp
-->set windowsxp personality "Cisco Router/Switch with IOS 11.2"
-->set windowsxp default tcp action reset
-->set windowsxp default udp action reset
-->set windowsxp uptime 1728650
-->add windowsxp tcp port 80 proxy www.google.com:80
-->add windowsxp tcp port 135 open
-->add windowsxp tcp port 445 open
-->
--># router
-->create router
-->set router personality "Cisco 1601 (IOS 11.0) or DECbrouter90T1 (Runs
Cisco IOS 10.2(5))"
-->set router default tcp action reset
-->set router default udp action reset
-->add router tcp port 23 open
-->
-->bind 192.168.31.115 windowsxp
-->bind 192.168.31.116 router
-->bind 192.168.31.117 router

When I run nmap -sT -PT -PI -p 22-26 -T 192.168.31.117 , I get the following
information

-->Starting nmap V. 3.00 ( www.insecure.org/nmap )
-->Interesting ports on  (192.168.31.117):
-->Port       State       Service
-->22/tcp     filtered    ssh                     
-->23/tcp     open        telnet                  
-->24/tcp     filtered    priv-mail               
-->25/tcp     open        smtp                    
-->26/tcp     filtered    unknown                 
-->Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds

Why I see open more port, I do not make that configuration...

I make honeyd-1.0 in  Fedora Core 3 box and the kernel version is
2.6.11-1-14_FC3. I use all new versions.

I execute the following command
 # honeyd -d -p nmap.prints -f honeyd.conf2 -l honeyd.log -u 500 -g 500
--disable-webserver

I do not understand why this behavior... could you help me?

Thanks


Ivan