[172157] in North American Network Operators' Group
Re: ipmi access
daemon@ATHENA.MIT.EDU (Paul S.)
Mon Jun 2 08:23:49 2014
X-Original-To: nanog@nanog.org
Date: Mon, 02 Jun 2014 21:23:36 +0900
From: "Paul S." <contact@winterei.se>
To: nanog@nanog.org
In-Reply-To: <CA+qj4S_5d+8LkTUaNtzsKQ7vGzxXwGQdA=upDHnu55AiHEE_tQ@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On 6/2/2014 午後 09:19, Andrew Latham wrote:
> I use OpenVPN to access an Admin/sandboxed network with insecure portals,
> wiki, and ipmi.
> On Jun 2, 2014 7:13 AM, "Randy Bush" <randy@psg.com> wrote:
>
>> so how to folk protect yet access ipmi? it is pretty vulnerable, so 99%
>> of the time i want it blocked off. but that other 1%, i want kvm
>> console, remote media, and dim sum.
>>
>> currently, i just block the ip address chunk into which i put ipmi at
>> the border of the rack. when i want access, i reconfig the acl. bit of
>> a pita.
>>
>> anyone care to share better idea(s)? thanks.
>>
>> randy
>>
Depends.
On most ATEN chip based BMC boards from Supermicro, it includes a UI to
iptables that works in the same way.
You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
But unless you have servers with those, I think the best way to go is
putting them on internal IPs and then using some sort of a VPN.
