VMWare / Honeywall bridging problems

["Matthew Franz" <mdfranz () gmail com>]

So I've seen some of the documentation on binding the 3 honeywall
interfaces to 3 physical interfaces as well as
http://www.honeynet.org.pk/honeywall/roo/page2b.htm which shows how to
run the attacker, honeywall and honeypots all within VMWare, but I'm
still running into some issues with bridging. I'm using GSX Server
3.2.1 (also tried VMWare Server Beta)

Host - Debian Sarge
----------------------------
eth0 - interface up, no IP assigned -- this is what I want the exposed
interface to be
eth1 - management interface for host / tunnel GSX console over SSH

Honeywall (Roo-VMWware)
--------------------------------------
eth0  (bridge in) - bridged
eth1  (bridge out) - I've tried both host-only and custom (vmnet3) and
I'm confused why http://www.honeynet.org.pk/honeywall/roo/page2b.htm
says this should be another bridged interface, I tried that too but I
got a nasty ARP storm then sent honeyall cpu to 20-30 :)
eth2 - NAT or another host-only ( or whatever)  will do SSH forwarding
for walleye through host management interface

Honeynet (Debian Sarge)
--------------
eth0 - host only
eth1 - NAT - just used for upgrading packages, was down when trying to
get it working...

So I assign eth0 on honeynet to one of my public IPs and ping from
another public IP my other public IP interface is plugged into a hub
that eth0 on the host is plugged into.

On the honeywall -- I see the ARPs go in  eth0   and out eth1 (and
also on br0, obviously)

On the honeynet --  I see  the ARP request and the honeynet sends the
ARP reply back

But I never see the ARP reply come back through on honeywall eth1.
Interesting enough, I happened to sniff on host vmnet3 (custom) and
saw them there).

Any ideas?

Thanks,

- mdf

--
Matthew Franz
http://www.threatmind.net