##################################################################### # # Spanish Honeynet Project # July, 2004 # # This file is an improved version of honeywall.conf config file # included in the Honeywall CDROM from # http://www.honeynet.org/tools/cdrom by The Honeynet Project. # It has two new options: LAN_BLOCK and LAN_ALLOWDED_IP. # ##################################################################### # Specify whether or not the Honeywall will operate as either a bridge or NAT # [Valid modes: bridge | nat] MODE=bridge # This Honeywall's public IP address(es) # [Valid argument: IP address | space delimited IP addresses] PUBLIC_IP=192.168.1.10 # DNS servers honeypots are allowed to communicate with # [Valid argument: IP address | space delimited IP addresses] DNS_SVRS= # To restrict DNS access to a specific honeypot or group of honeypots, list # them here, otherwise leave this variable blank # [Valid argument: IP address | space delimited IP addresses | blank] DNS_HOST= # The name of the externally facing network interface # [Valid argument: eth* | br* | ppp*] INET_IFACE=eth0 # The name of the internally facing network interface # [Valid argument: eth* | br* | ppp*] LAN_IFACE=eth1 # The IP internal connected to the internally facing interface # [Valid argument: IP network in CIDR notation] LAN_IP_RANGE=192.168.1.0/24 # The IP broadcast address for internal network # [Valid argument: IP broadcast address] LAN_BCAST_ADDRESS=192.168.1.255 # Enable traffic blocking from the honeypots to the LAN, to protect # the LAN hosts against any attack from the honeypots # [Valid argument: yes | no] LAN_BLOCK=no # The list of the LAN IP addresses that can be accesed from the honeypots, # such as the gateway, internal DNS servers, ... This variable is used # only if LAN_BLOCK is enabled # [Valid argument: space delimited IP addresses] LAN_ALLOWED_IP=192.168.1.1 # Enable QUEUE support to integrate with Snort-Inline filtering # [Valid argument: yes | no] QUEUE=yes # The unit of measure for setting oubtbound connection limits # [Valid argument: second, minute, hour, day, week, month, year] SCALE=hour # The number of TCP connections per unit of measure (Scale) # [Valid argument: integer] TCPRATE=9 # The number of UDP connections per unit of measure (SCALE) # [Valid argument: integer] UDPRATE=20 # The number of ICMP connections per unit of measure (SCALE) # [Valid argument: integer] ICMPRATE=50 # The number of other IP connections per unit of measure (SCALE) # [Valid argument: integer] OTHERRATE=10 # Enable the SEBEK collector which delivers keystroke and files # to a remote system even if an attacker replaces daemons such as sshd # [Valid argument: yes | no] SEBEK=no # Specify whether whether to drop SEBEK packets or allow them to be sent # outside of the Honeynet. # [Valid argument: ACCEPT | DROP] SEBEK_FATE=DROP # Specify the SEBEK destination host IP address # [Valid argument: IP address] SEBEK_DST_IP=10.0.0.1 # Specify the SEBEK destination port # [Valid argument: port] SEBEK_DST_PORT=1101 # Enable SEBEK logging in the Honeywall firewall logs # [Valid argument: yes | no] SEBEK_LOG=no # Specify the IP netmask for interface alises. One aliases will be created # on the external interface for each Honeypot # [Valid argument: IP netmask] ALIAS_MASK=255.255.255.0 # Space delimited list of Honeypot ips # NOTE: MUST HAVE SAME NUMBER OF IPS AS PUBLIC_IP VARIABLE. # [Valid argument: IP address] HPOT_IP=10.10.10.3 # Specify the IP address of the honeywall's internal ip address. This is # used in nat mode. # [Valid argument: IP address] PRIV_IP=10.0.0.1 # Specy the network interface for remote management. If set to br0, it will # assign MANAGE_IP to the logical bridge interface and allow its use as a # management interface. Set to none to disable the management interface. # [Valid argument: eth* | br* | ppp* | none] MANAGE_IFACE=eth2 # IP of management Interface # [Valid argument: IP address] MANAGE_IP=192.168.1.13 # Netmask of management Interface # [Valid argument: IP netmask] MANAGE_NETMASK=255.255.255.0 # Default Gateway of management Interface # [Valid argument: IP address] MANAGE_GATEWAY=192.168.1.1 # DNS Servers of management Interface # [Valid argument: space delimited IP addresses] MANAGE_DNS= # TCP ports allowed into the management interface. If SSH is used this list # must include the port SSHD is listening on. # [Valid argument: space delimited list of TCP ports] ALLOWED_TCP_IN=22 # Specify the IP address(es) and/or networks that are allowed to connect # to the management interface. Specify any to allow unrestricted access. # [Valid argument: IP address(es) | IP network(s) in CIDR notation | any] MANAGER=any # Specify whether or not the Honeywall will restrict outbound network # connections to specific destination ports. When bridge mode is utilized, # a management interface is required to restrict outbound network connections. # [Valid argument: yes | no] RESTRICT=yes # Specity the TCP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] ALLOWED_TCP_OUT="22 25 43 80 443" # Specity the UDP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] ALLOWED_UDP_OUT="53 123" # List of files that Swatch should monitor # [Valid argument: space delimited list of files with full path name] WATCH_FILES="/var/log/messages" # Specify email address to use for email alerting. # [Valid argument: any email address] ALERT_EMAIL=