OpenBSD DHCP and HoneyD (no arp proxy)

[Todd Garrison <tag () frameloss org>]

This may have been covered before - I haven't followed the newsgroup 
too closely - but I wanted to run honeyd on an OpenBSD machine that has 
a DHCP assigned address.  Because it took me about fifty different 
attempts to get it right I though I would post an example (because I am 
sure someone else would want to do a similar setup and hopefully I can 
save them a few minutes of work.) I tried all sorts of crazy stuff and 
it turns out the solution is very simple.

PF is a wonderful thing :) You can do so many cool things with it:

An example /etc/pf.conf

----------------------------------
ext_if="fxp0"

# do not send ssh from local LAN to honeyd
no rdr on $ext_if proto tcp from $ext_if:network to $ext_if port 22

# so you can get a DHCP lease
no rdr on $ext_if proto udp from any to any port 68

# Cut down on garbage sent to honeyd (master-browser broadcasts, DHCP 
leases etc.)
no rdr on $ext_if from any to $ext_if:broadcast
no rdr on $ext_if from 0.0.0.0/32 to any
no rdr on $ext_if from 255.255.255.255/32 to any

rdr on $ext_if proto {tcp, udp, icmp} from any os {Windows} to any -> 
127.0.0.17
rdr on $ext_if proto {tcp, udp, icmp} from any os {Linux, Solaris, 
FreeBSD, OpenBSD, HP-UX, AIX, IRIX} to any -> 127.0.0.18
rdr on $ext_if proto {tcp, udp, icmp} from any os {NMAP} to any -> 
127.0.0.19

block in from 224/8
block in from no-route

pass in on $ext_if route-to (lo0 127.0.0.1) from any to 127.0.0.16/29
pass out from $ext_if to any keep state

------------- EOF ------------

Command line:

/usr/local/bin/honeyd -d -p /usr/local/share/honeyd/nmap.prints \
                        -f /usr/local/etc/honeyd.conf -i lo0  127.0.0.16/29

So . .  what's going on here?

the no rdr lines prevent packets from getting translated.
the rdr lines use Pof syntax to direct Windows Boxen to 127.0.0.17, 
Unix Boxen to 127.0.0.18 or NMAP to a sticky honeypot on .19 :)

the critical part is this line . . .

        pass in  on $ext_if route-to (lo0 127.0.0.1) from any to 127.0.0.16/29

Because NAT happens before rules are processed, and you can't legally 
route from an outside interface to a loopback interface (look at how 
the routes are added for the loopback addresses at boot-up if you want 
to know why) you have to tell pf to route the next hop to 127.0.0.1 
specifically using the lo0 interface (otherwise it has no idea where 
the 127/8 network exists.)  Because you do not have an IP address 
assigned to anything in the 127.0.0.16/29 range your local host won't 
answer, but honeyd will be listening promiscuously and respond to any 
traffic. (My explanation probably doesn't make much sense, but the 
config works . . .)

I will leave the honeyd.conf file to the readers imagination - there is 
plenty of documentation available for that. (Do not forget to bind your 
templates to the IP addresses in the 127.0.0.16/29 range.)

Caveats -

pf.conf
Be sure to "keep state" for outgoing traffic otherwise your returning 
connections (DNS queries, etc) for the parent host will be redirected 
to honeyd (this makes it real hard to surf the web if this is a 
workstation.)
Don't use the "quick" keyword with "route-to" on a pass rule (caused my 
machine to lockup - YMMV)
Don't "scrub" the packets otherwise active fingerprinting of your 
honeypot will reveal it's true nature (not Windows / Linux / whatever - 
actually OpenBSD.)

- Todd Garrison