1IFIREWALL(8)                System Manager's Manual               IFIREWALL(8)
2
3
4

NAME

6       ipmiutil firewall - configure the IPMI firmware firewall functions
7
8

SYNOPSIS

10       ipmiutil firewall [-mxNUPREFJTVY] <parameters>
11
12

DESCRIPTION

14       This  ipmiutil  firewall  command  supports  the IPMI Firmware Firewall
15       capability.  It may be used to add or  remove  security-based  restric‐
16       tions on certain commands/command sub-functions  or to list the current
17       firmware firewall restrictions set on any commands.  For each  firmware
18       firewall  command listed below, parameters may be included to cause the
19       command to be executed with increasing granularity on a  specific  LUN,
20       for  a  specific  NetFn, for a specific IPMI Command, and finally for a
21       specific command's sub-function.  See Appendix H in the IPMI 2.0 Speci‐
22       fication  for a listing of any sub-function numbers that may be associ‐
23       ated with a particular command.
24
25       This utility can use either the /dev/ipmi0 driver  from  OpenIPMI,  the
26       /dev/imb  driver  from  Intel,  the  /dev/ipmikcs  driver from valinux,
27       direct user-space IOs, or the IPMI LAN interface if -N.
28
29

OPTIONS

31       Command line options are described below.
32
33       -m 002000
34              Show FRU for a specific MC (e.g. bus 00, sa 20, lun  00).   This
35              could  be  used  for  PICMG or ATCA blade systems.  The trailing
36              character, if present, indicates SMI addressing if 's', or  IPMB
37              addressing if 'i' or not present.
38
39       -x     Causes extra debug messages to be displayed.
40
41       -N nodename
42              Nodename  or IP address of the remote target system.  If a node‐
43              name is specified, IPMI LAN interface is  used.   Otherwise  the
44              local system management interface is used.
45
46       -U rmt_user
47              Remote  username  for the nodename given.  The default is a null
48              username.
49
50       -P/-R rmt_pswd
51              Remote password for the nodename given.  The default is  a  null
52              password.
53
54       -E     Use the remote password from Environment variable IPMI_PASSWORD.
55
56       -F drv_t
57              Force  the  driver  type  to one of the followng: imb, va, open,
58              gnu, landesk, lan, lan2, lan2i, kcs, smb.  Note that lan2i means
59              lan2  with  intelplus.   The  default is to detect any available
60              driver type and use it.
61
62       -J     Use  the  specified  LanPlus   cipher   suite   (0   thru   14):
63              0=none/none/none,       1=sha1/none/none,      2=sha1/sha1/none,
64              3=sha1/sha1/cbc128,  4=sha1/sha1/xrc4_128,  5=sha1/sha1/xrc4_40,
65              6=md5/none/none, ... 14=md5/md5/xrc4_40.  Default is 3.
66
67       -T     Use  a  specified  IPMI  LAN Authentication Type: 0=None, 1=MD2,
68              2=MD5, 4=Straight Password, 5=OEM.
69
70       -V     Use a specified IPMI  LAN  privilege  level.  1=Callback  level,
71              2=User level, 3=Operator level, 4=Administrator level (default),
72              5=OEM level.
73
74       -Y     Yes, do prompt the  user  for  the  IPMI  LAN  remote  password.
75              Alternatives for the password are -E or -P.
76
77

PARAMETERS

79       Parameter syntax and dependencies are as follows:
80
81       firewall [<channel H>] [<lun L> [ <netfn N> [<command C [<subfn S>]]]]
82
83       Note  that  if  "netfn  <N>"  is specified, then "lun <L>" must also be
84       specified;  if "command <C>" is specified, then "netfn <N>" (and there‐
85       fore "lun <L>") must also be specified, and so forth.
86
87       "channel  <H>"  is an optional and standalone parameter.  If not speci‐
88       fied, the requested operation will be performed on the current channel.
89       Note that command support may vary from channel to channel.
90
91       Firmware firewall commands:
92
93              info [<Parms as described above>]
94
95                     List firmware firewall information for the specified LUN,
96                     NetFn, and Command (if supplied) on the current or speci‐
97                     fied  channel.   Listed information includes the support,
98                     configurable, and enabled bits for the specified  command
99                     or commands.
100
101                     Some usage examples:
102
103                     info [<channel H>] [<lun L>]
104
105                            This  command will list firmware firewall informa‐
106                            tion for all  NetFns  for  the  specified  LUN  on
107                            either the current or the specified channel.
108
109                     info [<channel H>] [<lun L> [ <netfn N> ]
110
111                            This  command  will print out all command informa‐
112                            tion for a single LUN/NetFn pair.
113
114                     info [<channel H>] [<lun L> [ <netfn N> [<command C] ]]
115
116                            This prints out detailed, human-readable  informa‐
117                            tion   showing   the  support,  configurable,  and
118                            enabled bits for  the  specified  command  on  the
119                            specified  LUN/NetFn  pair.   Information  will be
120                            printed about each of the command subfunctions.
121
122                     info [<channel H>] [<lun  L>  [  <netfn  N>  [<command  C
123                     [<subfn S>]]]]
124
125                            Print out information for a specific sub-function.
126
127              enable [<Parms as described above>]
128
129                     This  command  is  used  to  enable  commands for a given
130                     NetFn/LUN combination on the specified channel.
131
132              disable [<Parms as described above>] [force]
133
134                     This command is used to  disable  commands  for  a  given
135                     NetFn/LUN  combination  on the specified channel.   Great
136                     care should be taken if using the "force"  option  so  as
137                     not to disable the "Set Command Enables" command.
138
139              reset [<Parms as described above>]
140
141                     This  command  may be used to reset the firmware firewall
142                     back to a state where all commands and command  sub-func‐
143                     tions are enabled.
144
145
146

SEE ALSO

148       ipmiutil(8)   ialarms(8)  iconfig(8)  idiscover(8)  ievents(8)  ifru(8)
149       igetevent(8) ihealth(8) ilan(8) ireset(8) isel(8) isensor(8) iserial(8)
150       isol(8) iwdt(8)
151
152

WARNINGS

154       See http://ipmiutil.sourceforge.net/ for the latest version of ipmiutil
155       and any bug fix list.
156
157
159       Copyright (C) 2010  Kontron America, Inc.
160
161       See the file COPYING in the distribution  for  more  details  regarding
162       redistribution.
163
164       This  utility  is  distributed  in the hope that it will be useful, but
165       WITHOUT ANY WARRANTY.
166
167

AUTHOR

169       Andy Cress <arcress at users.sourceforge.net>
170
171
172
173
174                           Version 1.0: 04 Jun 2010               IFIREWALL(8)
Impressum