Honeywall and Smoothwall Configuration Samples


Examples presented at Berkman Center, Harvard Law School, May 16th, 2008


DNS Black Hole for Smoothwall Express 3.0

  • config: 463,028 organized crime, RBN affiliates, malware hosts, and bad actor domains blacklisted for Smoothwall 3. Leave last line blank. Use open source software such as WinSCP? or Filezilla to transfer the config file into /var/smoothwall/hosts/. Updated 9-18-2011.

  • hosts: Protect your family and home network from 463,028 of "the baddest of the bad" domains blacklisted for Smoothwall 3. This black hole is not for everyone; it blocks many file sharing services, and will enable you to reduce your small business' exposure to liability. Place hosts in /var/smoothwall/hosts/. Blacklisted domains resolve to the SpywareListeningPost (, which provides our analysts with intel in the rapidly escalating war with malware; no personally identifying information is collected. Modify line 2 to match your local area network CIDR (i.e.,, etc. ). You can use an open source program, such as Notepad++, to edit these files. Note: Occasionally, a compromised (but otherwise legitimate site) is listed: the imperative is to protect local networks. If you believe that your domain should no longer be listed, please let us know and we will gladly review it for de-listing. Updated 9-18-2011.

  • dedupe.pl.txt: Rename to dedupe.pl. Sorts and removes duplicate entries in Smoothwall's /var/smoothwall/hosts/config file; populates configNew file (which you then rename to config). With slight modification, you can also use this to dedupe IP address lists.

  • snort_smoothwall3.conf: Snort.conf for Smoothwall. This configuration uses Stream5 and a large number of rules, but runs on a machine with 1 GB of RAM.

Be certain to apply Smoothwall's available update patch packages.

If you are using Bind or prefer to block malware only, David Glosser's DNS BlackHole http://www.malwaredomains.com/ provides the best available Malware Domain Blocklist.



Honeywall Roo 1.4: Honeywall 1.4 has emerged from beta. 'Out of the box' it functions with a reduced Snort Inline ruleset. To use the Emerging Threats rules, you must: 1) copy the Emerging Threats rules into the Snort-inline folder, and 2) log in as root (su -) at the console, run /user/sbin/menu, and Generate IPS Rules. The strategy in this topology is to leverage Snort Inline to protect Smoothwall and the workstations. You can use Snort arrays to spread the load and eliminate a single point of failure.

Honeywall Gateway: Honeywall 1.2 . This configuration will utilize over 900 MB of RAM.

  • snort_inline.conf: Most rules are set to drop; do not use Honeywall's autogenerated replace rules. Will Metcalf, the current maintainer of snort_inline, does not recommend blindly converting as many rules as possible to use replace. Will has said to not use replace in rules that contain the keyword flowbits:noalert because they are used in protocol identification/behavior, and are later checked in separate rules that alert/drop.

The /etc/blacklist.txt file specifies incoming traffic to be blocked based upon source IP address. Based upon the Bleeding All Firewall rules.

The /etc/fencelist.txt file specifies outgoing traffic to be blocked based upon destination IP address. Updated 4-12-2008.

  • crontab: crontab file for Honeywall which schedules reboot.pl and clean.pl

  • clean.pl.txt: Clean out Honeywall's logging directories on a schedule if you have limited hard disk space.

-- JamesMcQuaid - 5 June 2010

Topic attachments
I Attachment Action Size Date Who Comment
Unknown file formatEXT config manage 17394.2 K 2011-09-18 - 19:12 UnknownUser  
Unknown file formatEXT hosts manage 15585.5 K 2011-09-18 - 19:19 UnknownUser  
Topic revision: r96 - 2011-09-18 - JamesMcQuaid
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats