using pf for honey pots

Gary · *nix forums beginner Joined: 15 Jun 2006 Posts: 3

It's been a while since I've used pf extensively but I'm having trouble
sorting this one out. Is there a mailing list for pf users, btw? I'm
currently trying to get Tillman Werner's honeytrap[1] to compile but until
that's ready, I've come up with something else equally amusing.

In the mean time, I've taken an unpatched install of Windows XP Home SP1,
installed it under VMware, and am fwd'ing several ports to it. I was
having trouble singling out VM's IP to block its outbound traffic so my
temporary workaround was to run the Cisco VPN client which has a ZoneAlarm
engine packed with it. If I turn on the ZA firewall, traffic to/from the
guest OS works but traffic to the virtual is inbound only since ZA blocks
all outbound traffic from it. The end result is a lot of scans and failed
attempts by various bots, kiddies, and knuckleheads w/ no real results. No
spamming, either. A a recent rev nmap scan with will still show it's
fronted by a 3.X version of OpenBSD, however. I've also fwd'd a couple of
common exploits to other ports just to confuse them. Attached below is my
pf.conf.

My goal is to try to limit the virtual honey pot's outbound access to a
small handful of ports to prevent, among other things, spam, etc. But I
can seem to only block all traffic or none -- hence the ZA workaround in
the interim. Any feedback would be most welcome.

-Gary

ext_if="hme0"
int_if="xl0"
localnet = $int_if:network
# pot fulla honey!
winbox="172.16.75.30/32"
winports="{135,139,445,1025,5000}"
client_out= {ftp-data,ftp,ssh,domain,nntp,http,https}"

set skip on lo

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# I smell honey -- do you?
rdr on $ext_if proto tcp from !$localnet to $ext_if port $winports -> $winbox
rdr on $ext_if proto udp from !$localnet to $ext_if port $winports -> $winbox
# fakeouts for Windows messaging, MS SQL, and NAV
rdr on $ext_if proto tcp from !$localnet to $ext_if port 1026 -> $winbox port 5000
rdr on $ext_if proto udp from !$localnet to $ext_if port 1026 -> $winbox port 135
rdr on $ext_if proto tcp from !$localnet to $ext_if port 1433 -> $winbox port 5000
rdr on $ext_if proto udp from !$localnet to $ext_if port 1433 -> $winbox port 135
rdr on $ext_if proto tcp from !$localnet to $ext_if port 2967 -> $winbox port 5000

anchor "ftp-proxy/*"
block in log all
pass out keep state

#pass from { lo0, $localnet } to any keep state

# honey outbound - not working yet so no point in scrubbing
#pass inet proto tcp from $localnet to any port $client_out flags S/SA keep state

pass quick on $int_if
antispoof quick for { lo $int_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

# honey pot SYN proxy 3-way handshake
pass in log proto tcp from any to $winbox port $winports flags S/SA synproxy state

dfeustel@mindspring.com · *nix forums addict Joined: 13 May 2006 Posts: 67

Gary <garyd@efn.org.spamsux> wrote:

jKILLSPAM.schipper@math.u · *nix forums Guru Wannabe Joined: 13 Nov 2005 Posts: 202

dfeustel@mindspring.com wrote:

jKILLSPAM.schipper@math.u · *nix forums Guru Wannabe Joined: 13 Nov 2005 Posts: 202

Gary <garyd@efn.org.spamsux> wrote:

Google