Intro

The shun client blocks all communication with the hosts listed in /etc/shun/shun.conf or other block lists called from that file. It instructs a Linux kernel to stop accepting packets from that host and block all outbound packets destined for it.

The configuration file

The configuration file looks like this:

. /full/path/to/additional/entries
	#Source another file of shun entries
	#. and 0 entries in files will be ignored.

. http://some.trusted.source/shunlist.html /etc/shun/trusted-shun-cache.html
	#pull down a shun list in this format and store a copy in
	#/etc/shun/trusted-shun-cache.html to use if the network
	#is down at some future time.

+ ipa/32 UnixGMTPardonTimestamp
	#Shun this host, but only until Timestamp reached, then the
	#shun client is responsible for taking away the shun entry.
	#The client does _not_ guarantee that the shun will be removed
	#at exactly that time.

+ networka/22 UnixGMTPardonTimestamp
	#Shun this net

+ networkb/30 UnixGMTPardonTimestamp

! ipz/32
	#Regardless of any other local or remote shun requests, _never_ shun this IP.

! networky/26
	#Likewise, never shun this net.

#blah blah blah
	#Ignore any characters following '#' anywhere on a line.

All ips and networks must be straight numerical IPs or networks, or resolvable via /etc/hosts. While DNS lookup could technically be accomodated, that's a _really_ bad idea in firewall rules if the dns server is unavailable.

Lines starting with any character other than 0, ., +, -, or ! will be ignored.

No blocking will be done on the loopback interface.

Starting to shun

To start blocking the hosts and networks in the configuration file(s), run

/etc/init.d/shun start
To stop shunning those machines:
/etc/init.d/shun stop

Command Line parameters

start
Start blocking IP's
stop
Stop blocking those IP's
+|shun IP_address
Add that IP to the shun list and immediately start shunning it. This can be used in addition to or seperate from start/stop.
!|nevershun IP_address
Don't ever shun that address. The address is likewise added to the active configuration file as a nevershun address and the firewall immediately treats it as a nevershun address.
-c|.|source /path/to/file|URL
Get commands from the specified file or URL. Only one configuration file can be specified on the command line, but additional files or URLs can be specified inside that file.

Note that IP_address can have a netmask after it to block a network instead of an individual host. 127.12.23.14, 127.12.13.14/32, 127.12.13.0/24 and 127.12.13.0/255.255.255.0 are all legal.


Downloads

For a complete list of all files, see filelist.html.


Contact

Copyright 2001 William Stearns <wstearns@pobox.com>

Last edited: 10/9/2001

Best viewed with something that can show web pages... <grin>