diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index e36cb54f2..1cecd812c 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2401,7 +2401,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
},
TARPIT => sub {
- require_capability 'TARPIT_TARGET', 'The TARPIT Target', 's';
+ require_capability 'TARPIT_TARGET', 'TARPIT', 's';
fatal_error "TARPIT is only valid with PROTO tcp (6)" if ( resolve_proto( $proto ) || 0 ) != TCP;
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 79145e9ba..bfb3e7464 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -652,6 +652,76 @@
+
+ TARPIT [(tarpit |
+ honeypot | reset)]
+
+
+ Added in Shorewall 4.6.6.
+
+ TARPIT captures and holds incoming TCP connections
+ using no local per-connection resources.
+
+ TARPIT only works with the PROTO column set to tcp (6),
+ and is totally application agnostic. This module will answer a
+ TCP request and play along like a listening server, but aside
+ from sending an ACK or RST, no data is sent. Incoming packets
+ are ignored and dropped. The attacker will terminate the
+ session eventually. This module allows the initial packets of
+ an attack to be captured by other software for inspection. In
+ most cases this is sufficient to determine the nature of the
+ attack.
+
+ This offers similar functionality to LaBrea
+ <http://www.hackbusters.net/LaBrea/> but does not
+ require dedicated hardware or IPs. Any TCP port that you would
+ normally DROP or REJECT can instead become a tarpit.
+
+ The target accepts a single optional parameter:
+
+
+
+ tarpit
+
+
+ This mode is the default and completes a
+ connection with the attacker but limits the window size
+ to 0, thus keeping the attacker waiting long periods of
+ time. While he is maintaining state of the connection
+ and trying to continue every 60-240 seconds, we keep
+ none, so it is very lightweight. Attempts to close the
+ connection are ignored, forcing the remote side to time
+ out the connection in 12-24 minutes.
+
+
+
+
+ honeypot
+
+
+ This mode completes a connection with the
+ attacker, but signals a normal window size, so that the
+ remote side will attempt to send data, often with some
+ very nasty exploit attempts. We can capture these
+ packets for decoding and further analysis. The module
+ does not send any data, so if the remote expects an
+ application level response, the game is up.
+
+
+
+
+ reset
+
+
+ This mode is handy because we can send an inline
+ RST (reset). It has no other function.
+
+
+
+
+
+
ULOG[(ulog-parameters)]
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index 5ee7645e0..595978651 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -628,6 +628,76 @@
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5).
+
+
+ TARPIT [(tarpit |
+ honeypot | reset)]
+
+
+ Added in Shorewall 4.6.6.
+
+ TARPIT captures and holds incoming TCP connections using
+ no local per-connection resources.
+
+ TARPIT only works with the PROTO column set to tcp (6),
+ and is totally application agnostic. This module will answer a
+ TCP request and play along like a listening server, but aside
+ from sending an ACK or RST, no data is sent. Incoming packets
+ are ignored and dropped. The attacker will terminate the
+ session eventually. This module allows the initial packets of
+ an attack to be captured by other software for inspection. In
+ most cases this is sufficient to determine the nature of the
+ attack.
+
+ This offers similar functionality to LaBrea
+ <http://www.hackbusters.net/LaBrea/> but does not
+ require dedicated hardware or IPs. Any TCP port that you would
+ normally DROP or REJECT can instead become a tarpit.
+
+ The target accepts a single optional parameter:
+
+
+
+ tarpit
+
+
+ This mode is the default and completes a
+ connection with the attacker but limits the window size
+ to 0, thus keeping the attacker waiting long periods of
+ time. While he is maintaining state of the connection
+ and trying to continue every 60-240 seconds, we keep
+ none, so it is very lightweight. Attempts to close the
+ connection are ignored, forcing the remote side to time
+ out the connection in 12-24 minutes.
+
+
+
+
+ honeypot
+
+
+ This mode completes a connection with the
+ attacker, but signals a normal window size, so that the
+ remote side will attempt to send data, often with some
+ very nasty exploit attempts. We can capture these
+ packets for decoding and further analysis. The module
+ does not send any data, so if the remote expects an
+ application level response, the game is up.
+
+
+
+
+ reset
+
+
+ This mode is handy because we can send an inline
+ RST (reset). It has no other function.
+
+
+
+
+
The target may optionally be