Hello,
it is a good suggestion to use the BMC KEY,
are there any resources on how to set the key in IPMI?
Is it done in BIOS? - i can't remember of any such option.
Is it done via "ipmitool" ? - i'm unable to find out, as man page of
ipmitool only mention "-k" command line option for KG KEY,
but dos not mention how to set the KG KEY on ipmi itself. Does the key have
to be set up via "raw" commands?
Thank you for help and have a nice day
Tomas
Od
"Liebig, Holger"
<[EMAIL PROTECTED]
s.com>
Čas
09.01.2008 11:30
Komu
"[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Kopie
"[EMAIL PROTECTED]
orge.net"
<[EMAIL PROTECTED]
orge.net>
Předmět
RE: [Ipmitool-devel] ipmitool
firmware firewall - packet
filtering
setup - HOWTO
Hello Holger,
and thank you for new info.
So you mean there is no way to filter IP adressess in the IPMI module??
[Liebig, Holger] IPMI does not define IP address filtering. Depending on
the networking setup, you can configure a seperate VLAN for the BMC to
seperate it from the system LAN.
Reason why i need this, we have a bunch of servers with IPMI, spread out
across the whole country.
These servers have one public IP address, with IPMI attached on this
address.
[Liebig, Holger] Make sure, that your router and internet provider
forwards the RMCP traffic on port 623.
We, of course, need access to all functions on IPMI via LAN interface, so
all functions must be enabled.
As IP address is public, everyone can access it, so we'd like to have some
IP filtering, to allow only our IP address in.
We'd like to setup some kind of packet filter right in the IPMI module,
because having external firewall means having another box,
which means another possible problems ->
IPMI allow us to manage the server even in case of OS failure.
If we put another box (firewall) in front of IPMI, what should we do in
case of firewall failure?
Once again, there is absolutely no way to block some IP addresses right in
the IPMI ???
If so, i guess we'll have to use very very hard passwords fon LAN
accress;-)
[Liebig, Holger] You can enhance security by configuring a BMC Key for
IPMI 2.0 sessions (- I lanplus) in addition to user passwords. This is an
additional 20Byte key (typically a Certificate fingerprint). The problem
is, that most BMCs do not support disabling IPMI 1.5 when both versions
are supported.
Good luck,
Holger
Inactive hide details for OdOd
Od
"Liebig, Holger"
<[EMAIL PROTECTED]>
Čas
09.01.2008 08:47
Komu
"ipmitool-devel@lists.sourceforge.net"
<ipmitool-devel@lists.sourceforge.net>
Kopie
"[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Předmět
RE: [Ipmitool-devel] ipmitool firmware firewall
- packet filtering setup - HOWTO
The IPMI Firewall is not an IP filtering firewall. You can enable/disable
IPMI comands for an IPMI Channel (e.g. disable certain commands for the
LAN or serial channel).
If you need IP based access control, you have to set up an external
firewall and block the RMCP port (623).
IMHO the better solution would be not to disclose BMC account information
to everybody ;-)
Holger
From: [EMAIL PROTECTED] [
mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, January 08, 2008 1:51 PM
To: ipmitool-devel@lists.sourceforge.net
Subject: [Ipmitool-devel] ipmitool firmware firewall - packet filtering
setup - HOWTO
Hello everybody,
i'm looking for some tutorial/examples how to setup
IPMI firmware firewall, using "ipmitool".
Man page of "ipmitool" provide very brief help about this topic.
Searching web resources, i'v found nothing.
Could you please point me to some place, where there are some basic
examplaes
of firewall setting :
allow only some IP addresses to access IPMI, etc.
Thank you all in advance
Tomas
<<inline: graycol.gif>>
<<inline: ecblank.gif>>
<<inline: 0A944890.gif>>
<<inline: 0A786313.gif>>
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
