Under Construction
hmc lsfirewall
Available: from 1.9.1.0
The currently used firewall rules of an HMC can be displayed with the command “hmc lsfirewall”.
lsfirewall [-o <format>] [{-f|-j|-y}] [-F <fields>] [-s <selections>] [-4] [-6] [-v] <hmc> [<interface>|<application>|<ports>|<allowedhost>|<selection> ...]
-4 # show rules for IPv4 (default)
-6 # show rules for IPv6By default, firewall rules for IPv4 are displayed, in the simplest case all current rules:
$ hmc lsfirewall hmc01
APPLICATION INTERFACE PORTS ALLOWEDHOST
FCS eth0 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
FCS eth1 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
FCS eth2 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
FCS eth3 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
RMC eth0 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth1 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth2 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth3 657:udp,tcp:657 0.0.0.0/0.0.0.0
RPD eth0 12347:udp,udp:12348 0.0.0.0/0.0.0.0
RPD eth1 12347:udp,udp:12348 0.0.0.0/0.0.0.0
RPD eth2 12347:udp,udp:12348 0.0.0.0/0.0.0.0
RPD eth3 12347:udp,udp:12348 0.0.0.0/0.0.0.0
SLP eth0 427:udp 0.0.0.0/0.0.0.0
SLP eth1 427:udp 0.0.0.0/0.0.0.0
SLP eth2 427:udp 0.0.0.0/0.0.0.0
SLP eth3 427:udp 0.0.0.0/0.0.0.0
SecureRemoteAccess eth0 443:tcp,tcp:12443,tcp:9960 0.0.0.0/0.0.0.0
ntp eth0 123:udp 172.20.191.7/255.255.255.255
ntp eth1 123:udp 172.20.230.7/255.255.255.255
ping eth2 echo-request:icmp 0.0.0.0/0.0.0.0
ping eth3 echo-request:icmp 0.0.0.0/0.0.0.0
ssh eth0 22:tcp 0.0.0.0/0.0.0.0
$
If IPv6 is used, the rules for IPv6 can be displayed instead of the IPv4 rules by using the “-6” option:
$ hmc lsfirewall -6 hmc01
APPLICATION INTERFACE PORTS ALLOWEDHOST
FCS eth0 9920:tcp6,udp6:9900 ::/::
FCS eth1 9920:tcp6,udp6:9900 ::/::
FCS eth2 9920:tcp6,udp6:9900 ::/::
FCS eth3 9920:tcp6,udp6:9900 ::/::
RMC eth0 657:udp6,tcp6:657 ::/::
RMC eth1 657:udp6,tcp6:657 ::/::
RMC eth2 657:udp6,tcp6:657 ::/::
RMC eth3 657:udp6,tcp6:657 ::/::
RPD eth0 12347:udp6,udp6:12348 ::/::
RPD eth1 12347:udp6,udp6:12348 ::/::
RPD eth2 12347:udp6,udp6:12348 ::/::
RPD eth3 12347:udp6,udp6:12348 ::/::
SLP eth0 427:udp6 ::/::
SLP eth1 427:udp6 ::/::
SLP eth2 427:udp6 ::/::
SLP eth3 427:udp6 ::/::
SecureRemoteAccess eth0 443:tcp6,tcp6:12443,tcp6:9960 ::/::
ssh eth0 22:tcp6 ::/::
$
Note: If both IPv4 and IPv6 rules are to be displayed, the two options “-4” (IPv4) and “-6” (IPv6) must be used at the same time.
The application/service name, the interface, the associated network ports and the permitted IP addresses are displayed. The rules generally apply exclusively to incoming IP traffic. There are no rules for outbound IP traffic.
Additional firewall rules can be added with the commands “hmc addfirewall” or removed again with “hmc rmfirewall”.
If only certain rules are to be displayed, either the “-s” and “-S” options can be used for selections, or the desired rules can also be selected using additional arguments. The attributes application, interface, ports and allowedhost can be used together with “=” (exact match), “~” (regular expression match), “!=” (negation exact match) and “!~” (negation regular expression match).
This makes it easy to select specific firewall rules for display, e.g. only display rules for the eth0 interface:
$ hmc lsfirewall hmc01 interface=eth0
APPLICATION INTERFACE PORTS ALLOWEDHOST
FCS eth0 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
RMC eth0 657:udp,tcp:657 0.0.0.0/0.0.0.0
RPD eth0 12347:udp,udp:12348 0.0.0.0/0.0.0.0
SLP eth0 427:udp 0.0.0.0/0.0.0.0
SecureRemoteAccess eth0 443:tcp,tcp:12443,tcp:9960 0.0.0.0/0.0.0.0
ntp eth0 123:udp 172.20.191.7/255.255.255.255
ssh eth0 22:tcp 0.0.0.0/0.0.0.0
$
Or just rules where the ports match the regular expression 657:
$ hmc lsfirewall hmc01 ports~657
APPLICATION INTERFACE PORTS ALLOWEDHOST
RMC eth0 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth1 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth2 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth3 657:udp,tcp:657 0.0.0.0/0.0.0.0
$
For the variant with the exact match, the attribute name can also be omitted. This makes it even easier to display the rules for the eth0 interface using the following command:
$ hmc lsfirewall hmc01 eth0
APPLICATION INTERFACE PORTS ALLOWEDHOST
FCS eth0 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
RMC eth0 657:udp,tcp:657 0.0.0.0/0.0.0.0
RPD eth0 12347:udp,udp:12348 0.0.0.0/0.0.0.0
SLP eth0 427:udp 0.0.0.0/0.0.0.0
SecureRemoteAccess eth0 443:tcp,tcp:12443,tcp:9960 0.0.0.0/0.0.0.0
ntp eth0 123:udp 172.20.191.7/255.255.255.255
ssh eth0 22:tcp 0.0.0.0/0.0.0.0
$
Multiple expressions can also be specified; these are linked with a logical OR. The rules for the eth0 interface or the RMC application can then be displayed together as follows:
$ hmc lsfirewall hmc01 eth0 RMC
APPLICATION INTERFACE PORTS ALLOWEDHOST
FCS eth0 9920:tcp,udp:9900 0.0.0.0/0.0.0.0
RMC eth0 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth1 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth2 657:udp,tcp:657 0.0.0.0/0.0.0.0
RMC eth3 657:udp,tcp:657 0.0.0.0/0.0.0.0
RPD eth0 12347:udp,udp:12348 0.0.0.0/0.0.0.0
SLP eth0 427:udp 0.0.0.0/0.0.0.0
SecureRemoteAccess eth0 443:tcp,tcp:12443,tcp:9960 0.0.0.0/0.0.0.0
ntp eth0 123:udp 172.20.191.7/255.255.255.255
ssh eth0 22:tcp 0.0.0.0/0.0.0.0
$