Re: honeywall roo: rc.firewall questions

[Jocelyn Parker <jocelynp () ti parmapatas net>]

James,

I think HwRESTRICT (yes/no) is meant to establish whether the honeywall 
itself is to be restricted on the type of outgoing traffic it can 
generate itself (nothing to do with traffic going through it, from or to 
the honeypots). If that assumption is correct (I think the messages you 
see when you configure the system using the "interview" method in the 
"menu" confirm this) and HwRESTRICT is enabled, then:

  - HwALLOWED_TCP_OUT and HwALLOWED_UDP_OUT list the TCP and UDP ports 
that the honeypot itself is allowed to open connections to.

  - It is correct that these rules apply to the OUTPUT chain.

What I don't see is why these rules are located inside the 
"ROACHMOTEL=no" section in rc.firewall. The way I see it, ROACHMOTEL 
(yes/no) is an all-or-nothing variable to decide whether honeypots can 
initiate connections to the outside world or not. If ROACHMOTEL=yes then 
no outgoing connection from the honeypots is allowed. If ROACHMOTEL=no 
then all outgoing connections from the honeypots are allowed (but 
rate-limited). I think HwRESTRICT and ROACHMOTEL should be completely 
independent.

I may be missing something, though, because the programmer explicitly 
stated that the HwRESTRICT block should be subject to the ROACHMOTEL 
mode: :-(

(/etc/init.d/rc.firewall, line 522):
# Moved the following block to this location, should be subject to 
ROACHMOTEL mode

Makes sense?

You may want to log a bug report at https://bugs.honeynet.org and see 
what the official response is.

Jocelyn.