5

I want to be able to switch LAN access to IPMI on and off on my machine (e.g. using a script and ipmitool).

I've successfully configured static IP, netmask, password, and other settings using ipmitool on Ubuntu 16.04. I would have expected the following command to disable access to the LAN channel, 0x1:

$ ipmitool lan set 0x1 access off

The command returns 0 and produces the following output:

Set Channel Access for channel 1 was successful.

However, despite having successfully changed the setting, I am still able to access the web configuration interface via my previously configured static IP and netmask settings.

Here's the output of ipmitool channel info 0x1 prior to disabling access to the channel:

Channel 0x1 info:
  Channel Medium Type   : 802.3 LAN
  Channel Protocol Type : IPMB-1.0
  Session Support       : multi-session
  Active Session Count  : 0
  Protocol Vendor ID    : 7154
  Volatile(active) Settings
    Alerting            : enabled
    Per-message Auth    : enabled
    User Level Auth     : enabled
    Access Mode         : always available
  Non-Volatile Settings
    Alerting            : enabled
    Per-message Auth    : enabled
    User Level Auth     : enabled
    Access Mode         : always available

After running the command, the Access Mode field for both Volatile and Non-Volatile Settings reads 'disabled.'

Am I missing something here? How do people generally disable the IPMI LAN interface?

techraf
  • 4,163
  • 8
  • 27
  • 44
wickstopher
  • 151
  • 1
  • 4

1 Answers1

1
$ ipmitool lan set 0x1 access off

This command refers specifically to the IPMI protocol over the LAN, not SSH / SNMP / HTTP/HTTPS etc.

The IPMI protocol is UDP/623, and is what you use when you run ipmitool to a remote host.

EDIT: I realise I didn't answer the question. It might be simplest to set a static IP of 0.0.0.0 on the IPMI interface when you want it disabled, and then set a valid static IP when you want it enabled. Most IPMI controllers have some kind of firewall option, but for IPMI controllers on SMC motherboards at least, you can't configure the firewall via the IPMI CLI interface, only the web interface.

Daniel Lawson
  • 5,426
  • 21
  • 27
  • Are you sure that setting the IPv4 wildcard address 0.0.0.0 would not cause problems? – aventurin Sep 03 '16 at 09:37
  • It's not a wildcard IP. Unless there's some esoteric bug, I can't see how it would cause problems. – Daniel Lawson Sep 04 '16 at 21:25
  • This is an approach that I've been toying around with. However, using ipmitool to set the static IP to 0.0.0.0 hangs the program indefinitely (ipmitool does not appear to halt). I've been setting the static IP to 1.1.1.1 and the netmask to 255.255.255.254 (again, trying to set it to 255.255.255.255 hangs the application), and that seems to do the trick. Any known caveats to this approach? – wickstopher Sep 07 '16 at 13:42
  • I can't think of any. Running 'ipmitool lan set 0x1 ipaddr 0.0.0.0' returns fine for me, on the SMC systems I tested at least, sorry it didn't work for you. – Daniel Lawson Sep 11 '16 at 23:58