jeroen at massar.ch
Mon Jun 2 12:33:05 UTC 2014
On 2014-06-02 14:23, Paul S. wrote:
> On most ATEN chip based BMC boards from Supermicro, it includes a UI to
> iptables that works in the same way.
> You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
> But unless you have servers with those, I think the best way to go is
> putting them on internal IPs and then using some sort of a VPN.
While you are typing the iptables command, do a check of the software
versions, typically they are running a decade old kernel and a lot of
unpatched software that is exposed. You really do not want to run that
on the Interwebs, just the idea of any packet arriving to such a kernel
Relevant good reads:
The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
of the kernel running on most IPMIs out there.
http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006
8 years... ouch, yeah, no way that is going to be attached to a public
Thus please, don't shoot yourself in the foot with that and more
importantly don't shoot the rest of the Internet in the foot as they'll
receive the packets.
Note: the IPMI that Michael describes is on a unrouted VLAN, the access
to the OpenVPN port that he runs on the IPMI happens through SSH on a
jumpbox which is ACLd away.
(who is still awaiting for Zeus4IPMI)
More information about the NANOG