True, excellent point as well. Multiple openvpn/ipsec entry points on a internal network is probably the best way to go. On 6/2/2014 午後 09:33, Jeroen Massar wrote:
On 2014-06-02 14:23, Paul S. wrote: [..]
On most ATEN chip based BMC boards from Supermicro, it includes a UI to iptables that works in the same way.
You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.
But unless you have servers with those, I think the best way to go is putting them on internal IPs and then using some sort of a VPN. While you are typing the iptables command, do a check of the software versions, typically they are running a decade old kernel and a lot of unpatched software that is exposed. You really do not want to run that on the Interwebs, just the idea of any packet arriving to such a kernel is scary.
Relevant good reads: http://michael.stapelberg.de/Artikel/supermicro_ipmi_openvpn https://plus.google.com/+TobiasDiedrich/posts/Bq44KkBT3vK
The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version of the kernel running on most IPMIs out there.
http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006
8 years... ouch, yeah, no way that is going to be attached to a public network...
Thus please, don't shoot yourself in the foot with that and more importantly don't shoot the rest of the Internet in the foot as they'll receive the packets.
Note: the IPMI that Michael describes is on a unrouted VLAN, the access to the OpenVPN port that he runs on the IPMI happens through SSH on a jumpbox which is ACLd away.
Greets, Jeroen
(who is still awaiting for Zeus4IPMI)