ipmi access

Jeroen Massar jeroen at massar.ch
Mon Jun 2 12:33:05 UTC 2014

On 2014-06-02 14:23, Paul S. wrote:
> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
> iptables that works in the same way.
> You could put it on a public net, allow your stuff and DROP
> But unless you have servers with those, I think the best way to go is
> putting them on internal IPs and then using some sort of a VPN.

While you are typing the iptables command, do a check of the software
versions, typically they are running a decade old kernel and a lot of
unpatched software that is exposed. You really do not want to run that
on the Interwebs, just the idea of any packet arriving to such a kernel
is scary.

Relevant good reads:

The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
of the kernel running on most IPMIs out there.

http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006

8 years... ouch, yeah, no way that is going to be attached to a public

Thus please, don't shoot yourself in the foot with that and more
importantly don't shoot the rest of the Internet in the foot as they'll
receive the packets.

Note: the IPMI that Michael describes is on a unrouted VLAN, the access
to the OpenVPN port that he runs on the IPMI happens through SSH on a
jumpbox which is ACLd away.


  (who is still awaiting for Zeus4IPMI)

More information about the NANOG mailing list