Hi,
I'm not sure if this will help, but for a while I ran honeyd on the
single IP that you get via DHCP when using a cable modem. I found that
by far the simplest solution was to set up a few iptables rules on the
machine running honeyd to block all incoming traffic, to prevent that
machine's network stack to ever interfere with that traffic. Something
like
iptables -F INPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
You can of course augment that to allow ssh access from somewhere
outside etc, but make sure to adapt the filtering rule you pass to
honeyd on startup to ignore that traffic (unless you want to test your
setup, of course).
Since honeyd gets its traffic via pcap, it sees the traffic
nevertheless.
Hope this helps,
Christian.
On Wed, 2003-12-17 at 13:33, Craig Sharp wrote:
> Roshen,
>
> One other issue, what would I use as the gateway on the host? Currently it gets its gateway from dhcp.
>
> Craig
>
> >>> <roshen.chandran_at_paladion.net> 12/16/03 10:44PM >>>
>
> >I know that honeyd relies on arpd to use all available addresses in a
> network
> >but this wont work in my situation with only a single address.
>
> If I got you correctly Craig, the problem seems to be that the Honeyd
> virtual honeypot has to listen for an IP that is currently assigned to
> the Honeyd host, and you have only 1 IP to spare between the Honeyd host
> and the virtual honeypot.
>
> You could bind the virtual honeypot to the IP provided by the cable
> modem in the honeyd.conf file, and assign just any other invalid IP to
> the Honeyd host itself. You can run Arpd to respond to arp requests for
> the IP provided by the cable modem, and the Honeyd host will thus pick
> up the packets and hand them over to the Honeyd virtual honeypot.
>
> Thanks!
> -Roshen
>
> Roshen Chandran
> Paladion Networks
> http://www.paladion.net
>
>
>
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
Received on Fri Dec 19 2003 - 12:10:01 PST
