Provided by: ipmiutil_3.0.7-1build1_amd64 
NAME
ipmiutil_firewall - configure the IPMI firmware firewall functions
SYNOPSIS
ipmiutil firewall [-mxNUPREFJTVY] parameters
DESCRIPTION
This ipmiutil firewall command supports the IPMI Firmware Firewall capability. It may be used to add or
remove security-based restrictions on certain commands/command sub-functions or to list the current
firmware firewall restrictions set on any commands. For each firmware firewall command listed below,
parameters may be included to cause the command to be executed with increasing granularity on a specific
LUN, for a specific NetFn, for a specific IPMI Command, and finally for a specific command's sub-
function. See Appendix H in the IPMI 2.0 Specification for a listing of any sub-function numbers that
may be associated with a particular command.
This utility can use either the /dev/ipmi0 driver from OpenIPMI, the /dev/imb driver from Intel, the
/dev/ipmikcs driver from valinux, direct user-space IOs, or the IPMI LAN interface if -N.
OPTIONS
Command line options are described below.
-m 002000
Show FRU for a specific MC (e.g. bus 00, sa 20, lun 00). This could be used for PICMG or ATCA
blade systems. The trailing character, if present, indicates SMI addressing if 's', or IPMB
addressing if 'i' or not present.
-x Causes extra debug messages to be displayed.
-N nodename
Nodename or IP address of the remote target system. If a nodename is specified, IPMI LAN
interface is used. Otherwise the local system management interface is used.
-U rmt_user
Remote username for the nodename given. The default is a null username.
-P/-R rmt_pswd
Remote password for the nodename given. The default is a null password.
-E Use the remote password from Environment variable IPMI_PASSWORD.
-F drv_t
Force the driver type to one of the followng: imb, va, open, gnu, landesk, lan, lan2, lan2i, kcs,
smb. Note that lan2i means lan2 with intelplus. The default is to detect any available driver
type and use it.
-J Use the specified LanPlus cipher suite (0 thru 17): 0=none/none/none, 1=sha1/none/none,
2=sha1/sha1/none, 3=sha1/sha1/cbc128, 4=sha1/sha1/xrc4_128, 5=sha1/sha1/xrc4_40, 6=md5/none/none,
... 14=md5/md5/xrc4_40. Default is 3.
-T Use a specified IPMI LAN Authentication Type: 0=None, 1=MD2, 2=MD5, 4=Straight Password, 5=OEM.
-V Use a specified IPMI LAN privilege level. 1=Callback level, 2=User level, 3=Operator level,
4=Administrator level (default), 5=OEM level.
-Y Yes, do prompt the user for the IPMI LAN remote password. Alternatives for the password are -E or
-P.
PARAMETERS
Parameter syntax and dependencies are as follows:
firewall [channel H] [lun L [ netfn N [command C [subfn S]]]]
Note that if "netfn N" is specified, then "lun L" must also be specified; if "command C" is specified,
then "netfn N" (and therefore "lun L") must also be specified, and so forth.
"channel H" is an optional and standalone parameter. If not specified, the requested operation will be
performed on the current channel. Note that command support may vary from channel to channel.
Firmware firewall commands:
info [(Parms as described above)]
List firmware firewall information for the specified LUN, NetFn, and Command (if supplied)
on the current or specified channel. Listed information includes the support,
configurable, and enabled bits for the specified command or commands.
Some usage examples:
info [channel H] [lun L]
This command will list firmware firewall information for all NetFns for the
specified LUN on either the current or the specified channel.
info [channel H] [lun L [ netfn N ]
This command will print out all command information for a single LUN/NetFn pair.
info [channel H] [lun L [ netfn N [command C] ]]
This prints out detailed, human-readable information showing the support,
configurable, and enabled bits for the specified command on the specified LUN/NetFn
pair. Information will be printed about each of the command subfunctions.
info [channel H] [lun L [ netfn N [command C [subfn S]]]]
Print out information for a specific sub-function.
enable [(Parms as described above)]
This command is used to enable commands for a given NetFn/LUN combination on the specified
channel.
disable [(Parms as described above)] [force]
This command is used to disable commands for a given NetFn/LUN combination on the specified
channel. Great care should be taken if using the "force" option so as not to disable the
"Set Command Enables" command.
reset [(Parms as described above)]
This command may be used to reset the firmware firewall back to a state where all commands
and command sub-functions are enabled.
SEE ALSO
ipmiutil(8) ialarms(8) iconfig(8) idiscover(8) ievents(8) ifru(8) igetevent(8) ihealth(8) ilan(8) ireset(8) isel(8) isensor(8) iserial(8) isol(8) iwdt(8)
WARNINGS
See http://ipmiutil.sourceforge.net/ for the latest version of ipmiutil and any bug fix list.
COPYRIGHT
Copyright (C) 2010 Kontron America, Inc.
See the file COPYING in the distribution for more details regarding redistribution.
This utility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY.
AUTHOR
Andy Cress <arcress at users.sourceforge.net>
Version 1.0: 04 Jun 2010 IFIREWALL(8)