Honeypots mailing list archives
Re: Honeywall eth0 eth1 & eth2
From: george chamales <george () overt org>
Date: Mon, 24 Apr 2006 18:18:37 -0400
Hello Omar,
Is it normal when I ifconfig from root in the honeywall I found that only eth2 has an IP address, wgy eth0 and eth1 don't have one
It is normal that eth0 and eth1 do not have IP addresses on the honeywall. Those two interfaces (eth0 connected to the outside world, and eth1 connected to the honeynet) are configured as a layer two bridge. For more information on how a bridge works please see: http://linux-net.osdl.org/index.php/Bridge
how can the honeypots sebek send the packets to honeywall through eth1 if it has no IP
Any traffic that is sent from the honeypots to the outside world passes through the honeywall. All traffic that passes through the honeywall is recorded by sniffer programs that run on the honeywall. If you configure sebek on your honeypots to use an IP address that is not on your honeynet, data sent from sebek will pass through the honeywall and it will be recorded by the data capture programs. Sebekd, the sebek sniffer program on the honeywall, will decode the packet and enter the information into the hflow database where it can be viewed through the walleye web interface. The destination IP address and port number used by sebek is not meant to be the destination system where the packets will be recorded. Think of the IP address and port number combination as a unique identifier that the firewall on the honeywall uses to identify sebek packets. The firewall on the honeywall can be configured to drop any packets that match the sebek destination IP and port number. This way the packets will be sent off of the honeypots, recorded by the honeywall's data capture tools, and dropped by the firewall before they reach the outside world. More information on how sebek works can be found here: http://honeynet.org/papers/sebek.pdf
I supposed eth1 is the default gateway for my honeypots so I gave an IP address but I can't find any way of assigning that IP to eth1 (host only side of honeynet)
The honeywall does not affect the IP addresses and default gateways used by your honeypots. From the perspective of the honeypots, the honeywall is not even there. The honeypots should be configured with the same IP range and default gateway of the other systems on the network they are connected to. Hope this clears things up. If you have any further questions, feel free to email me directly. george
Current thread:
- Honeywall eth0 eth1 & eth2 omarmdx (Apr 24)
- Re: Honeywall eth0 eth1 & eth2 george chamales (Apr 24)
- Re: Honeywall eth0 eth1 & eth2 Hugo Francisco González Robledo (Apr 24)
- <Possible follow-ups>
- Re: Re: Honeywall eth0 eth1 & eth2 anh . doquoc (May 12)
- Re: Re: Honeywall eth0 eth1 & eth2 george chamales (May 12)
- Re: Re: Re: Honeywall eth0 eth1 & eth2 anh . doquoc (May 16)
- Re: Re: Re: Honeywall eth0 eth1 & eth2 george chamales (May 16)
- Re: Re: Re: Re: Honeywall eth0 eth1 & eth2 anh . doquoc (May 17)