|IFIREWALL(8)||System Manager's Manual||IFIREWALL(8)|
ipmiutil_firewall - configure the IPMI firmware firewall functions
ipmiutil firewall [-mxNUPREFJTVY] parameters
This ipmiutil firewall command supports the IPMI Firmware Firewall capability. It may be used to add or remove security-based restrictions on certain commands/command sub-functions or to list the current firmware firewall restrictions set on any commands. For each firmware firewall command listed below, parameters may be included to cause the command to be executed with increasing granularity on a specific LUN, for a specific NetFn, for a specific IPMI Command, and finally for a specific command's sub-function. See Appendix H in the IPMI 2.0 Specification for a listing of any sub-function numbers that may be associated with a particular command.
This utility can use either the /dev/ipmi0 driver from OpenIPMI, the /dev/imb driver from Intel, the /dev/ipmikcs driver from valinux, direct user-space IOs, or the IPMI LAN interface if -N.
Command line options are described below.
- -m 002000
- Show FRU for a specific MC (e.g. bus 00, sa 20, lun 00). This could be used for PICMG or ATCA blade systems. The trailing character, if present, indicates SMI addressing if 's', or IPMB addressing if 'i' or not present.
- Causes extra debug messages to be displayed.
- -N nodename
- Nodename or IP address of the remote target system. If a nodename is specified, IPMI LAN interface is used. Otherwise the local system management interface is used.
- -U rmt_user
- Remote username for the nodename given. The default is a null username.
- -P/-R rmt_pswd
- Remote password for the nodename given. The default is a null password.
- Use the remote password from Environment variable IPMI_PASSWORD.
- -F drv_t
- Force the driver type to one of the followng: imb, va, open, gnu, landesk, lan, lan2, lan2i, kcs, smb. Note that lan2i means lan2 with intelplus. The default is to detect any available driver type and use it.
- Use the specified LanPlus cipher suite (0 thru 17): 0=none/none/none, 1=sha1/none/none, 2=sha1/sha1/none, 3=sha1/sha1/cbc128, 4=sha1/sha1/xrc4_128, 5=sha1/sha1/xrc4_40, 6=md5/none/none, ... 14=md5/md5/xrc4_40. Default is 3.
- Use a specified IPMI LAN Authentication Type: 0=None, 1=MD2, 2=MD5, 4=Straight Password, 5=OEM.
- Use a specified IPMI LAN privilege level. 1=Callback level, 2=User level, 3=Operator level, 4=Administrator level (default), 5=OEM level.
- Yes, do prompt the user for the IPMI LAN remote password. Alternatives for the password are -E or -P.
Parameter syntax and dependencies are as follows:
firewall [channel H] [lun L [ netfn N [command C [subfn S]]]]
Note that if "netfn N" is specified, then "lun L" must also be specified; if "command C" is specified, then "netfn N" (and therefore "lun L") must also be specified, and so forth.
"channel H" is an optional and standalone parameter. If not specified, the requested operation will be performed on the current channel. Note that command support may vary from channel to channel.
Firmware firewall commands:
- info [(Parms as described above)]
List firmware firewall information for the specified LUN, NetFn, and Command (if supplied) on the current or specified channel. Listed information includes the support, configurable, and enabled bits for the specified command or commands.
Some usage examples:
- info [channel H] [lun L]
This command will list firmware firewall information for all NetFns for the specified LUN on either the current or the specified channel.
- info [channel H] [lun L [ netfn N ]
This command will print out all command information for a single LUN/NetFn pair.
- info [channel H] [lun L [ netfn N [command C] ]]
This prints out detailed, human-readable information showing the support, configurable, and enabled bits for the specified command on the specified LUN/NetFn pair. Information will be printed about each of the command subfunctions.
- info [channel H] [lun L [ netfn N [command C [subfn S]]]]
Print out information for a specific sub-function.
- enable [(Parms as described above)]
This command is used to enable commands for a given NetFn/LUN combination on the specified channel.
- disable [(Parms as described above)] [force]
This command is used to disable commands for a given NetFn/LUN combination on the specified channel. Great care should be taken if using the "force" option so as not to disable the "Set Command Enables" command.
- reset [(Parms as described above)]
This command may be used to reset the firmware firewall back to a state where all commands and command sub-functions are enabled.
See http://ipmiutil.sourceforge.net/ for the latest version of ipmiutil and any bug fix list.
Copyright (C) 2010 Kontron America, Inc.
See the file COPYING in the distribution for more details regarding redistribution.
This utility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
Andy Cress <arcress at users.sourceforge.net>
|Version 1.0: 04 Jun 2010|