Integrated IPMI Firewall of Supermicro Motherboards

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

Supermicro X7/X8/H8/X9/X10 Motherboards with recent ATEN-based IPMI firmware[1][2] versions have the possibility to limit access to the remote management IP through an integrated firewall (IP Access Control). Generally, we recommend protecting every remote control access by using a dedicated firewall, however the firewall integrated in these systems can offer additional protection.

Activating the Firewall

Activating via Web

The firewall settings can be reached from menu Configuration -> IP Access Control on the web interface screen.

The following example exclusively allows access to the remote management system on the server from the management PC that has the IP address 10.0.0.4.

  1. Activate the Enable IP Access Control checkbox
  2. First, add a rule with the IP address 10.0.0.4 and the ACCEPT policy
  3. Add an additional rule with IP address 0.0.0.0/0 and the DROP policy (this rule explicitly forbids access from any IP addresses, except those that have been permitted using a preceding rule)

The screenshot shows the completed configuration from the example described.

Due to the configured IP access control rules, access will be limited exclusive to the remote management system with the IP address 10.0.0.4..

Activating via SMCIPMItool

In addition to the configuration via the web-interface, the firewall of Supermicro X10 motherboards can also be configured via the SMCIPMITool:

  • java -jar SMCIPMITool.jar [IP] [USERNAME] [PASSWORD] ipmi oem x10cfg ipCtrl

The following sub-commands are possible:

Command:ipmi oem x10cfg ipCtrl 
Command(s): 
list                      	 List IP access control 
status <enable/disable>   	 Enable/Disable IP access control 
add <...>                 	 Add IP access control 
edit <...>                	 Edit IP access control 
delete <rule no>          	 Delete IP access control

The following output shows an example configuration of a X10SLH-F motherboard:

$ java -jar SMCIPMITool.jar 10.1.102.120 ADMIN relation123 ipmi oem x10cfg ipCtrl list
 IP Access Control              |                   On 


Rule No | IP Address/Mask                          | Policy               
------- | ---------------                          | ------               
      1 | 10.1.102.101/255.255.255.255             | Accept               
      2 | 0.0.0.0/0.0.0.0                          | Drop                 
      3 |                                          |                      
      4 |                                          |                      
      5 |                                          |                      
      6 |                                          |                      
      7 |                                          |                      
      8 |                                          |                      
      9 |                                          |                      
     10 |                                          |                      

Testing Firewall Rules

The following test shows the proper operation of the firewall configuration.

Access test from the management PC with the address 10.0.0.4:

user@ubuntu-11-10:~$ ip addr | grep 10.0.0.4
    inet 10.0.0.4/24 brd 10.0.0.255 scope global wlan0
user@ubuntu-11-10:~$ ping -c 1 10.0.0.241
PING 10.0.0.241 (10.0.0.241) 56(84) bytes of data.
64 bytes from 10.0.0.241: icmp_req=1 ttl=64 time=2.16 ms

--- 10.0.0.241 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.168/2.168/2.168/0.000 ms
user@ubuntu-11-10:~$

Access test from another computer with the address 10.0.0.3:

root@9000080177:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:25:90:52:d8:35 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:25:90:52:d8:34 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/24 brd 10.0.0.255 scope global eth1
    inet6 fe80::225:90ff:fe52:d834/64 scope link 
       valid_lft forever preferred_lft forever
root@9000080177:~# ping -c 10 10.0.0.241
PING 10.0.0.241 (10.0.0.241) 56(84) bytes of data.

--- 10.0.0.241 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

root@9000080177:~#

Allowing Access after Lockout due to Misconfiguration

For the event that someone has locked themselves out through the integrated firewall, the IPMI configuration must be reset to factory defaults to gain access again. There are two ways to accomplish this:

  1. Factory reset via ipmitool or ipmicfg:
    • ipmitool raw 0x3c 0x40[3] or
    • ipmicfg -fd[4]
  2. Factory reset via firmware update (firmware must be re-loaded from the operating system of the affected server using the IPMI Flash utility):
    • You can find information regarding the IPMI Flash utility for main boards with the ATEN IPMI software in the article, Updating Supermicro Main Board IPMI Firmware using ATEN IPMI software
    • When reloading the firmware update, the option -r no (No Preserve, reset to factory default settings) must be selected in this case. Afterwards, the IPMI configuration (IP address, user, etc.) must be manually reset, or an IPMI configuration file reloaded.

References


Foto Werner Fischer.jpg

Author: Werner Fischer

Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.


Related articles

Request SNMP Information per MIB Browser
USBAnywhere Supermicro IPMI Virtual Media Vulnerability
Virtual network interface enx of Supermicro Motherboards