honeyd, farpd, debian: problem running the scripts

[Jan Reister <jan.reister () unimi it>]

I run honeyd with farpd (i.e. arpd) on a Debian Linux 2.4 in an 
unallocated public ip range. The honeyd server sits in the range.

When farpd and honeyd are started, the hosts configured in the template 
start as planned. An nmap scan correctly shows each honeypot-host with 
its open ports and OS.

However, I can't add a script to a port, like scripts/web.sh or 
scripts/test.sh. Whenever I try to connect to a port where a script is 
configured, I get a "Connection closed by foreign host".

An ethereal capture of the connection shows a TCP "syn, ack, fin" stream 
between my machine and the honeypot, followed by an ICMP "destination 
unreachable" from the honeyd server.

This is a piece of the config file, which actually comes with the 
default debian package:

create template
set template personality "Microsoft Windows XP Professional SP1"
set template uptime 1728650
set template maxfds 35
#add template tcp port 80 "scripts/iis5.net/main.pl"
add template tcp port 80 "sh scripts/web.sh"
add template tcp port 22 "sh scripts/test.sh $ipsrc $dport"
add template tcp port 23 proxy $ipsrc:23
add template udp port 53 proxy 159.149.10.1:53
set template default tcp action reset
# Debian-specific (use nobody = 65534 instead of 32767)
set template uid 65534 gid 65534
bind (ip) template

Scripts permissions and path are ok and work locally on the server, 
there are no iptables rules interfering.

Any idea about the solution?

Jan Reister