The shun client blocks all communication with the hosts listed in /etc/shun/shun.conf or other block lists called from that file. It instructs a Linux kernel to stop accepting packets from that host and block all outbound packets destined for it.
The configuration file looks like this:
. /full/path/to/additional/entries #Source another file of shun entries #. and 0 entries in files will be ignored. . http://some.trusted.source/shunlist.html /etc/shun/trusted-shun-cache.html #pull down a shun list in this format and store a copy in #/etc/shun/trusted-shun-cache.html to use if the network #is down at some future time. + ipa/32 UnixGMTPardonTimestamp #Shun this host, but only until Timestamp reached, then the #shun client is responsible for taking away the shun entry. #The client does _not_ guarantee that the shun will be removed #at exactly that time. + networka/22 UnixGMTPardonTimestamp #Shun this net + networkb/30 UnixGMTPardonTimestamp ! ipz/32 #Regardless of any other local or remote shun requests, _never_ shun this IP. ! networky/26 #Likewise, never shun this net. #blah blah blah #Ignore any characters following '#' anywhere on a line.
All ips and networks must be straight numerical IPs or networks, or resolvable via /etc/hosts. While DNS lookup could technically be accomodated, that's a _really_ bad idea in firewall rules if the dns server is unavailable.
Lines starting with any character other than 0, ., +, -, or ! will be ignored.
No blocking will be done on the loopback interface.
To start blocking the hosts and networks in the configuration file(s), run
/etc/init.d/shun startTo stop shunning those machines:
/etc/init.d/shun stop
Note that IP_address can have a netmask after it to block a network instead of an individual host. 127.12.23.14, 127.12.13.14/32, 127.12.13.0/24 and 127.12.13.0/255.255.255.0 are all legal.
For a complete list of all files, see filelist.html.
Copyright 2001 William Stearns <[email protected]>
Last edited: 10/9/2001
Best viewed with something that can show web pages... <grin>