##################################################################### # # $Id: honeywall.conf 4552 2006-10-17 01:06:51Z esammons $ # ############################################# # # Copyright (C) <2005> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA # ############################################# # # This file is the Honeywall import file (aka "honeywall.conf"). # It is a list of VARIABLE=VALUE tuples (including comments as # necessary, # such as this) and whitespace lines. # # note: DO NOT surround values in quotation marks # ##################################################################### ############################ # Site variables that are # # global to all honeywalls # # at a site. # ############################ # Specify the IP address(es) and/or networks that are allowed to connect # to the management interface. Specify any to allow unrestricted access. # [Valid argument: IP address(es) | IP network(s) in CIDR notation | any] HwMANAGER=10.10.10.0/24 # Specify the port on which SSHD will listen # NOTE: Automatically aded to the list of TCP ports allowed in by IPTables # [Valid argument: TCP (port 0 - 65535)] HwSSHD_PORT=22 # Specify whether or not root can login remotely over SSH # [Valid argument: yes | no] HwSSHD_REMOTE_ROOT_LOGIN=no # NTP Time server(s) # [Valid argument: IP address] HwTIME_SVR= ############################ # Local variables that are # # specific to each # # honeywall at a site. # ############################ # Specify the system hostname # [Valid argument: string ] HwHOSTNAME=roo-test # Specify the system DNS domain # [Valid argument: string ] HwDOMAIN=localdomain #Start the Honeywall on boot # [Valid argument: yes | no] HwHONEYWALL_RUN=no # To use a headless system. # [Valid argument: yes | no] HwHEADLESS=no # This Honeywall's public IP address(es) # [Valid argument: IP address | space delimited IP addresses] HwHPOT_PUBLIC_IP=10.0.0.20 # DNS servers honeypots are allowed to communicate with # [Valid argument: IP address | space delimited IP addresses] HwDNS_SVRS= # To restrict DNS access to a specific honeypot or group of honeypots, list # them here, otherwise leave this variable blank # [Valid argument: IP address | space delimited IP addresses | blank] HwDNS_HOST= # The name of the externally facing network interface # [Valid argument: eth* | br* | ppp*] HwINET_IFACE=eth0 # The name of the internally facing network interface # [Valid argument: eth* | br* | ppp*] HwLAN_IFACE=eth1 # The IP internal connected to the internally facing interface # [Valid argument: IP network in CIDR notation] HwLAN_IP_RANGE=10.0.0.0/24 # The IP broadcast address for internal network # [Valid argument: IP broadcast address] HwLAN_BCAST_ADDRESS=10.0.0.255 # Enable QUEUE support to integrate with Snort-Inline filtering # [Valid argument: yes | no] HwQUEUE=yes # The unit of measure for setting oubtbound connection limits # [Valid argument: second, minute, hour, day, week, month, year] HwSCALE=hour # The number of TCP connections per unit of measure (HwScale) # [Valid argument: integer] HwTCPRATE=20 # The number of UDP connections per unit of measure (HwSCALE) # [Valid argument: integer] HwUDPRATE=20 # The number of ICMP connections per unit of measure (HwSCALE) # [Valid argument: integer] HwICMPRATE=50 # The number of other IP connections per unit of measure (HwSCALE) # [Valid argument: integer] HwOTHERRATE=10 # Enable the SEBEK collector which delivers keystroke and files # to a remote system even if an attacker replaces daemons such as sshd # [Valid argument: yes | no] HwSEBEK=no # Enable the Walleye Web interface. #[Valid argument: yes | no] HwWALLEYE=yes # Specify whether whether to drop SEBEK packets or allow them to be sent # outside of the Honeynet. # [Valid argument: ACCEPT | DROP] HwSEBEK_FATE=DROP # Specify the SEBEK destination host IP address # [Valid argument: IP address] HwSEBEK_DST_IP=10.0.0.253 # Specify the SEBEK destination port # [Valid argument: port] HwSEBEK_DST_PORT=1101 # Enable SEBEK logging in the Honeywall firewall logs # [Valid argument: yes | no] HwSEBEK_LOG=no # Specify whether the dialog menu is to be started on login to TTY1 # [Valid argument: yes | no ] HwMANAGE_DIALOG=yes # Specify whether management port is to be activated on start or not. # [Valid argument: yes | no ] HwMANAGE_STARTUP=yes # Specy the network interface for remote management. If set to br0, it will # assign MANAGE_IP to the logical bridge interface and allow its use as a # management interface. Set to none to disable the management interface. # [Valid argument: eth* | br* | ppp* | none] HwMANAGE_IFACE=eth2 # IP of management Interface # [Valid argument: IP address] HwMANAGE_IP=10.10.10.66 # Netmask of management Interface # [Valid argument: IP netmask] HwMANAGE_NETMASK=255.255.255.0 # Default Gateway of management Interface # [Valid argument: IP address] HwMANAGE_GATEWAY=10.10.10.1 # DNS Servers of management Interface # [Valid argument: space delimited IP addresses] HwMANAGE_DNS= # TCP ports allowed into the management interface. # Do NOT include the SSHD port. It will automatically be included # [Valid argument: space delimited list of TCP ports] HwALLOWED_TCP_IN=443 # Specify whether or not the Honeywall will restrict outbound network # connections to specific destination ports. When bridge mode is utilized, # a management interface is required to restrict outbound network connections. # [Valid argument: yes | no] HwRESTRICT=yes # Specity the TCP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] HwALLOWED_TCP_OUT=22 25 43 80 443 # Specity the UDP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] HwALLOWED_UDP_OUT=53 123 # Specify whether or not to start swatch and email alerting. # [Valid argument: yes | no] HwALERT=no # Specify email address to use for email alerting. # [Valid argument: any email address] HwALERT_EMAIL=root@localhost.localdomain # NIC Module List - Set this to the number and order you wish # to load NIC drivers, such that you get the order you want # for eth0, eth1, eth2, etc. # [Valid argument: list of strings] # # Example: eepro100 8139too HwNICMODLIST= # Blacklist, Whitelist, and Fencelist features. # [Valid argument: string ] HwFWBLACK=/etc/blacklist.txt # [Valid argument: string ] HwFWWHITE=/etc/whitelist.txt # [Valid argument: string ] HwFWFENCE=/etc/fencelist.txt # [Valid argument: yes | no] HwBWLIST_ENABLE=no # [Valid argument: yes | no] HwFENCELIST_ENABLE=no # The following feature allows the roo to allow attackers into the # honeypots but they can't send packets out... # [Valid argument: yes | no] HwROACHMOTEL_ENABLE=no # Disables BPF filtering based on the contents of HwHPOT_PUBLIC_IP # and the black and white list contained within HwFWBLACK and HwFWWHITE # if the HwBWLIST_ENABLE is on. Other wise, it just filters based on # the contents of HwHPOT_PUBLIC_IP # [Valid argument: yes | no] HwBPF_DISABLE=no # This capability is not yet implemented in roo. The variable # has been commented out for this reason. dittrich - 02/08/05 # Options for hard drive tuning (if needed). # [Valid argument: string ] # Example: -c 1 -m 16 -d HwHWPARMOPTS= # Should we swap capslock and control keys? HwSWAP_CAPSLOCK_CONTROL=no ########################################################################## # Snort Rule Update Variables ########################################################################## # Enable or disable automatic snort rule updates # [Valid argument: yes | no] HwRULE_ENABLE=no # Automatically restart snort and snort_inline when automatic updates are # applied and when calls to update IDS or IPs rules? # [Valid argument: yes | no] HwSNORT_RESTART=no # Oink Code - Required by Oinkmaster to retrieve VRT rule updates # See: /hw/docs/README.snortrules or # http://www.honeynet.org/tools/cdrom/roo/manual/ # for instructions on how to obtain it (Free registration). # [Valid argument: ~40 char alphanum string] HwOINKCODE= # Day automatic snort rule updates should be retrieved (for weekly updates) # For daily updates, set this to "" # [Valid argument: sun | mon | tue | wed | thu | fri | sat] HwRULE_DAY=sat # Hour of day snort rules updates should be retrieved # [Valid argument: 0 | 1 | 2 | ... | 23] (0 is Midnight, 12 is noon, 23 is 11PM) HwRULE_HOUR=3 ########################################################################## # Pcap and DB data retention settings # Currenrly ONLY used when Pcap/DB purge scripts are called # Pcap/DB data *is NOT* automatically purged ########################################################################## # Days to retain Pcap data. This will be used *IF* /dlg/config/purgePcap.pl # is called with NO arguments. # NOTE: Override this by supplying the number of days as an argument ala: # /dlg/config/purgePcap.pl HwPCAPDAYS=45 # Days to retain DB data. This will be used *IF* /dlg/config/purgeDB.pl # is called with NO arguments. # NOTE: Override this by supplying the number of days as an argument ala: # /dlg/config/purgeDB.pl HwDBDAYS=180 ########################################################################## # NAT mode is no longer supported. # Don't mess with anything below here unless you know what you're # doing! Don't say we didn't warn you, and don't try logging a bugzilla # request to clean up the mess! ########################################################################## # Space delimited list of Honeypot ips # NOTE: MUST HAVE SAME NUMBER OF IPS AS PUBLIC_IP VARIABLE. # [Valid argument: IP address] #HwHPOT_PRIV_IP_FOR_NAT= # Specify the IP address of the honeywall's internal (i.e. gateway # IP for NAT) IP address. This is only used in NAT mode. # [Valid argument: IP address ex: 192.168.10.1] #HwPRIV_IP_FOR_NAT= # Specify the IP netmask for interface alises. One aliases will be created # on the external interface for each Honeypot when in NAT mode only. # [Valid argument: IP netmask] #HwALIAS_MASK_FOR_NAT=255.255.255.0 # End of honeywall.conf parameters