Under Construction

LPAR-ToolUser Guide > The hmc Command

hmc addfirewall

Available: from 1.9.1.0

With the command “hmc addfirewall” rules can be added to an HMC firewall, which allow access to HMC services via the network.

   addfirewall [-v] <hmc> <service> [<interface>] <IP>[/<prefixlen>] [<netmask>]

In addition to the HMC, one of the IBM supported services and at least one IP address must be specified.

Services supported by IBM are the following:

    •    ssh – Secure Shell
    •    SecureRemoteAccess – Secure Remote Access
    •    RMC – Resource Monitoring and Control (LPM, DLPAR)
    •    FCS – HMC to HMC communication
    •    i5250 – 5250 Remote Console
    •    ping – ICMP echo
    •    ntp – Network Time Protocol
    •    SLP – SLP
    •    RPD – RPD
    •    snmptrap – SNMP traps
    •    snmpagent – SNMP agent

Note: Depending on the HMC version, additional services may be supported. The official IBM documentation should be consulted.

If a connection should only be allowed for a specific interface, then the interface name must be specified. Without specifying an interface, rules are always added for all interfaces.

Rules can only be added for incoming network traffic, not for outgoing network traffic. This means there are no restrictions for outgoing connections. The HMC firewall is intended solely to protect the HMC itself.

One or more IP addresses can be activated, or even entire networks. Rules for IPv4 and IPv6 can be added.

Below are some examples that illustrate the different options.

Allow SSH connections from the IP address 192.168.17.93 (source IP) to the HMC hmc01, but only via the interface eth0:

$ hmc addfirewall hmc01 ssh eth0 192.168.17.93
$

Note: There is no netmask and no prefix length specified, the default is then a netmask of 255.255.255.255 for IPv4 addresses and therefore only the specified IP address.

Allow ping (ICMP) from any IP address on any interface of the HMC hmc01:

$ hmc addfirewall hmc01 ping 0.0.0.0 0.0.0.0
$

Alternatively, instead of the network mask 0.0.0.0, the prefix length can also be specified together with the IP address:

$ hmc addfirewall hmc01 ping 0.0.0.0/0
$

Allow RMC from the network 192.168.17.0/24 on the interface eth0:

$ hmc addfirewall hmc01 RMC eth0 192.168.17.0 255.255.255.0
$

Alternatively, the prefix length can be used here again instead of the netmask (255.255.255.0):

$ hmc addfirewall hmc01 RMC eth0 192.168.17.0/24
$

Rules for IPv6 cannot specify a netmask, only a prefix length can be specified. The default prefix length is then 128.

Which rules are currently configured on an HMC can be displayed using the “hmc lsfirewall” command. If rules are to be removed, this can be done with the “hmc rmfirewall” command.