Integrated IPMI Firewall of Supermicro Motherboards
Supermicro X7/X8/H8/X9/X10 Motherboards with recent ATEN-based IPMI firmware versions have the possibility to limit access to the remote management IP through an integrated firewall (IP Access Control). Generally, we recommend protecting every remote control access by using a dedicated firewall, however the firewall integrated in these systems can offer additional protection.
Activating the Firewall
Activating via Web
The firewall settings can be reached from menu Configuration -> IP Access Control on the web interface screen.
The following example exclusively allows access to the remote management system on the server from the management PC that has the IP address 10.0.0.4.
- Activate the Enable IP Access Control checkbox
- First, add a rule with the IP address 10.0.0.4 and the ACCEPT policy
- Add an additional rule with IP address 0.0.0.0/0 and the DROP policy (this rule explicitly forbids access from any IP addresses, except those that have been permitted using a preceding rule)
The screenshot shows the completed configuration from the example described.
Activating via SMCIPMItool
In addition to the configuration via the web-interface, the firewall of Supermicro X10 motherboards can also be configured via the SMCIPMITool:
java -jar SMCIPMITool.jar [IP] [USERNAME] [PASSWORD] ipmi oem x10cfg ipCtrl<code>
The following sub-commands are possible:
Command:ipmi oem x10cfg ipCtrl Command(s): list List IP access control status <enable/disable> Enable/Disable IP access control add <...> Add IP access control edit <...> Edit IP access control delete <rule no> Delete IP access control
The following output shows an example configuration of a X10SLH-F motherboard:
$ java -jar SMCIPMITool.jar 10.1.102.120 ADMIN relation123 ipmi oem x10cfg ipCtrl list IP Access Control | On Rule No | IP Address/Mask | Policy ------- | --------------- | ------ 1 | 10.1.102.101/255.255.255.255 | Accept 2 | 0.0.0.0/0.0.0.0 | Drop 3 | | 4 | | 5 | | 6 | | 7 | | 8 | | 9 | | 10 | |
Testing Firewall Rules
The following test shows the proper operation of the firewall configuration.
Access test from the management PC with the address 10.0.0.4:
user@ubuntu-11-10:~$ ip addr | grep 10.0.0.4 inet 10.0.0.4/24 brd 10.0.0.255 scope global wlan0 user@ubuntu-11-10:~$ ping -c 1 10.0.0.241 PING 10.0.0.241 (10.0.0.241) 56(84) bytes of data. 64 bytes from 10.0.0.241: icmp_req=1 ttl=64 time=2.16 ms --- 10.0.0.241 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.168/2.168/2.168/0.000 ms user@ubuntu-11-10:~$
Access test from another computer with the address 10.0.0.3:
root@9000080177:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:25:90:52:d8:35 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:25:90:52:d8:34 brd ff:ff:ff:ff:ff:ff inet 10.0.0.3/24 brd 10.0.0.255 scope global eth1 inet6 fe80::225:90ff:fe52:d834/64 scope link valid_lft forever preferred_lft forever root@9000080177:~# ping -c 10 10.0.0.241 PING 10.0.0.241 (10.0.0.241) 56(84) bytes of data. --- 10.0.0.241 ping statistics --- 10 packets transmitted, 0 received, 100% packet loss, time 8999ms root@9000080177:~#
Allowing Access after Lockout due to Misconfiguration
For the event that someone has locked themselves out through the integrated firewall, the IPMI configuration must be reset to factory defaults to gain access again. There are two ways to accomplish this:
- Factory reset via ipmitool or ipmicfg:
- Factory reset via firmware update (firmware must be re-loaded from the operating system of the affected server using the IPMI Flash utility):
- You can find information regarding the IPMI Flash utility for main boards with the ATEN IPMI software in the article, Updating Supermicro Main Board IPMI Firmware using ATEN IPMI software
- When reloading the firmware update, the option -r no (No Preserve, reset to factory default settings) must be selected in this case. Afterwards, the IPMI configuration (IP address, user, etc.) must be manually reset, or an IPMI configuration file reloaded.
- Nuvoton WPCM450R IPMI Chip with ATEN Software
- ASPEED AST2400 IPMI Chip with ATEN-Software
- Do you have a (...) a command set I can send using ipmitool that replicates the reset command? (Supermicro FAQ 15448)
- How do you restore the BMC (...) back to the default setting in Linux? (Supermicro FAQ 10237)
Author: Werner Fischer
Werner Fischer, working in the Web Operations & Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.