Honeywall and Smoothwall Configuration Samples

• UsingHoneywall.pdf: UsingHoneywall?.pdf (as presented at Berkman Center, Harvard Law School, May 16th)
  

• InstallAndConfigureHoneywall.pdf: InstallAndConfigureHoneywall?.pdf

• Creating_A_Bootable_ISO_CD.pdf: Creating_A_Bootable_ISO_CD.pdf

Smoothwall Express 3.0: be certain to apply the two patch packages now available.

• snort_smoothwall3.conf: This configuration uses Stream5 and a large number of rules, but runs on a machine with 1 GB of RAM.

• config-ipblock_Smoothwall3: IP blocks for Smoothwall 3: includes Russian Business Network IP addresses. This file can only handle 720 IP ranges, after which the batch file will no longer be processed. The config file in the var/ipblock folder is processed as a batch file. After the config file attains a certain size, the following error is logged in the var/log/messages file: "smoothd ipbatch buffer size exceeded". This error may also be observed in the web interface in logs.cgi under SmoothD?. If you wish to block larger numbers of malicious IP addresses, you must use another firewall. Updated 7-13-2008.

• config-hosts: 184,682 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 11-10-2008.

• hosts: Protect your home from 184,682 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Updated 11-10-2008.

• dedupe.pl.txt: Rename to dedupe.pl. Sorts and removes duplicate entries in Smoothwall's /var/smoothwall/hosts/config file; populates configNew file (which you then rename to config). With slight modification, you can also use this to dedupe IP address lists.

DNS Bind: now testing this on Free BSD.

• bindzone: Experimental. Do not use this bind zone file in a production environment unless you have tested it. A viable alternative to corporate whitelisting. Contains 172,580 domains and objects. Update 7-13-2008: added 1,048 new Russian Business Network domains.

Honeywall Roo 1.4: Honeywall 1.4 has emerged from beta. 'Out of the box' it functions with a reduced Snort Inline ruleset. To use the Emerging Threats rules, you must: 1) copy the Emerging Threats rules into the Snort-inline folder, and 2) log in as root (su -) at the console, run /user/sbin/menu, and Generate IPS Rules. The strategy in this topology is to leverage Snort Inline to protect Smoothwall and the workstations. You can use Snort arrays to spread the load and eliminate a single point of failure.

Honeywall Gateway: Honeywall 1.2 . This configuration will utilize over 900 MB of RAM.

• snort_inline.conf: Most rules are set to drop; do not use Honeywall's autogenerated replace rules. Will Metcalf, the current maintainer of snort_inline, does not recommend blindly converting as many rules as possible to use replace. Will has said to not use replace in rules that contain the keyword flowbits:noalert because they are used in protocol identification/behavior, and are later checked in separate rules that alert/drop.

• blacklist.txt: The /etc/blacklist.txt file specifies incoming traffic to be blocked based upon source IP address. Based upon the Bleeding All Firewall rules.

• fencelist.txt: The /etc/fencelist.txt file specifies outgoing traffic to be blocked based upon destination IP address. Updated 4-12-2008.

• A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.doc: Bleeding topology for the home: Honeywall Roo 1.1 and 1.2

• A_Novices_Guide_to_Using_Multiple_Layers_of_Snort_to_Defend_the_Home_Network.pdf: Bleeding topology for the home: Honeywall Roo 1.1 and 1.2

• crontab: crontab file for Honeywall which schedules reboot.pl and clean.pl

• clean.pl.txt: Clean out Honeywall's logging directories on a schedule if you have limited hard disk space.

• reboot.pl.txt: Reboot Honeywall on a schedule.

Deprecated:

Honeywall Roo 1.1:

• snort_inline.conf: Honeywall snort-inline configuration: Bleeding Snort config for Honeywall Roo 1.1

Smoothwall Express 2.0: If you are still using Smoothwall 2.0, you will be well served to migrate to Smoothwall 3.0 as soon as possible.

• snort.in: snort.in for Smoothwall Express 2.0 Fixes 1-9

• snort.conf: snort.conf for Smoothwall Express 2.0 Fixes 1-9

• SmoothwallSnortHowTo.txt: This file explains how to set up snort on Smoothwall Express 2.0 Fixes 1-9

• blackhole.conf: 90,000 blacklisted domains for Smoothwall 2.0; leave last line blank. Want to participate in the distributed computing project? See http://doc.emergingthreats.net/bin/view/Main/SpywareListeningPost

• dnsmasq.conf: DNSMasq config for Smoothwall 2.0's blackhole

• tldblackhole.conf: Top Level Domains for Smoothwall 2.0; add to top of blackhole.conf; edit to suit your preferences

• BadMP3SitesBlackhole.txt: Evil MP3 sites targeting the kids with malware. Use in Smoothwall 2.0's blackhole.conf file.

• http://sourceforge.net/projects/smoothiemods/ Smoothwall Homebrew Mods at sourceforge

-- JamesMcQuaid - 13 July 2008