Hello Holger,
and thank you for new info. So you mean there is no way to filter IP adressess in the IPMI module?? [Liebig, Holger] IPMI does not define IP address filtering. Depending on the networking setup, you can configure a seperate VLAN for the BMC to seperate it from the system LAN. Reason why i need this, we have a bunch of servers with IPMI, spread out across the whole country. These servers have one public IP address, with IPMI attached on this address. [Liebig, Holger] Make sure, that your router and internet provider forwards the RMCP traffic on port 623. We, of course, need access to all functions on IPMI via LAN interface, so all functions must be enabled. As IP address is public, everyone can access it, so we'd like to have some IP filtering, to allow only our IP address in. We'd like to setup some kind of packet filter right in the IPMI module, because having external firewall means having another box, which means another possible problems -> IPMI allow us to manage the server even in case of OS failure. If we put another box (firewall) in front of IPMI, what should we do in case of firewall failure? Once again, there is absolutely no way to block some IP addresses right in the IPMI ??? If so, i guess we'll have to use very very hard passwords fon LAN accress;-) [Liebig, Holger] You can enhance security by configuring a BMC Key for IPMI 2.0 sessions (- I lanplus) in addition to user passwords. This is an additional 20Byte key (typically a Certificate fingerprint). The problem is, that most BMCs do not support disabling IPMI 1.5 when both versions are supported. Good luck, Holger [cid:196324209@09012008-0D4A]Od Od "Liebig, Holger" <[EMAIL PROTECTED]> Čas 09.01.2008 08:47 Komu "ipmitool-devel@lists.sourceforge.net" <ipmitool-devel@lists.sourceforge.net> Kopie "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Předmět RE: [Ipmitool-devel] ipmitool firmware firewall - packet filtering setup - HOWTO The IPMI Firewall is not an IP filtering firewall. You can enable/disable IPMI comands for an IPMI Channel (e.g. disable certain commands for the LAN or serial channel). If you need IP based access control, you have to set up an external firewall and block the RMCP port (623). IMHO the better solution would be not to disclose BMC account information to everybody ;-) Holger ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 08, 2008 1:51 PM To: ipmitool-devel@lists.sourceforge.net Subject: [Ipmitool-devel] ipmitool firmware firewall - packet filtering setup - HOWTO Hello everybody, i'm looking for some tutorial/examples how to setup IPMI firmware firewall, using "ipmitool". Man page of "ipmitool" provide very brief help about this topic. Searching web resources, i'v found nothing. Could you please point me to some place, where there are some basic examplaes of firewall setting : allow only some IP addresses to access IPMI, etc. Thank you all in advance Tomas
<<inline: graycol.gif>>
<<inline: ecblank.gif>>
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
