Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Bridging firewalls, honeynet.org rc.firewall, and UML honeypots
  • From: Mike Tremoulet <[EMAIL PROTECTED]>
  • Date: Wed, 17 Nov 2004 09:41:57 -0600
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=hFtQh9VlvLQ58o90R7YKrRgl6vGGJ36a8oXQ3osBHU1Cd1o8gDEsT5AkzMuKvl+Zpez81rpLI9c5Va/hRMBb14srJ0i5VdOg3Ex5eTXINdQ0rLBqmad8T99FcOZYf9W03UxhK7OWrNnUWLfKNGmNH9UmApyznDG7e+ZDZywm5Gs=
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]>
  • Reply-to: Mike Tremoulet <[EMAIL PROTECTED]>
.
 
On Wed, 17 Nov 2004 15:54:14 +0100, no-ctrl <[EMAIL PROTECTED]> wrote:
> Hello,
> 
> Unfortunately I run into the same sort of problems. I'm trying to run a UML honeypot on suse 9.1 in bridging mode. But it doesn't work. I've looked at a couple of howto's, but they are not solving my problems. Can't even find out how to check if my kernel supports iptables with a bridge or that I need ebtables?!
> 
> At this moment i have the bridging at work both to and from the guest, but when I enable iptables, I can only get into my UML. I would like to go through some logging of Iptables, but... euh. I cannot find it ( I used the firewall.rc from the honeynet.org site)
> 
> Can anybody show me a place were this setup is properly explained (with up to date info)?
> 
> Regards,
> 
> Luke
> 

I've just about got all the bugs worked out now, and since I haven't
seen it written up, I'm putting together a whitepaper on the setup.

The 2.6 kernel supports bridging, so I didn't need to add ebtables on
the host.  However, the rc.firewall script looks at the input and
output logical devices.  What I had to do was change almost all of the
-i $iface parts of the rules into -m physdev --physdev-in $iface.  If
you just log every packet through the FORWARD chain, you'll see that
the logical in and out devices are both the bridge (br0), but the
physdev in and out devices are the actual interfaces.

I'll post to the list when I have a draft written.

Thanks,
-- Mike

-- 
just a Gnome of Zurich ... feeding tiny bits of information from all over...
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.