Under Construction

LPAR-ToolUser Guide > The hmc Command

hmc rmfirewall

Available: from 1.9.1.0

Firewall rules on an HMC can be removed with the command “hmc rmfirewall”.

   rmfirewall [-v] <hmc> <service> [<interface>] <IP>[/<prefixlen>] [<netmask>]

Only existing firewall rules can be removed.

In addition to the HMC, one of the IBM supported services and at least one IP address must be specified.

Services supported by IBM are the following:

    •    ssh – Secure Shell
    •    SecureRemoteAccess – Secure Remote Access
    •    RMC – Resource Monitoring and Control (LPM, DLPAR)
    •    FCS – HMC to HMC communication
    •    i5250 – 5250 Remote Console
    •    ping – ICMP echo
    •    ntp – Network Time Protocol
    •    SLP – SLP
    •    RPD – RPD
    •    snmptrap – SNMP traps
    •    snmpagent – SNMP agent

Note: Depending on the HMC version, additional services may be supported. The official IBM documentation should be consulted.

If there is a rule for multiple interfaces, by specifying an interface the rule can be removed for only that interface, or by omitting the specification of an interface, the rule can be removed for all interfaces.

Rules for IPv4 and IPv6 can be removed.

Below are some examples that illustrate the different options. It should be noted that the information provided, such as interface, IP address, service and netmask, is used to match an existing rule. Only if such a rule exists can it be removed with the command. All of the following examples assume that the corresponding rule currently exists!

To remove the rule that allows SSH connections from the IP address 192.168.17.93 (source IP) to the HMC hmc01 via the interface eth0:

$ hmc rmfirewall hmc01 ssh eth0 192.168.17.93
$

Note: There is no netmask and no prefix length specified, the default is then a netmask of 255.255.255.255 for IPv4 addresses and therefore only the specified IP address.

To remove the rules that allow ping (ICMP) from any IP address on any interface of the HMC hmc01:

$ hmc rmfirewall hmc01 ping 0.0.0.0 0.0.0.0
$

Alternatively, instead of the network mask 0.0.0.0, the prefix length can also be specified together with the IP address:

$ hmc rmfirewall hmc01 ping 0.0.0.0/0
$

To remove the rule that allows RMC from the network 192.168.17.0/24 on the interface eth0:

$ hmc rmfirewall hmc01 RMC eth0 192.168.17.0 255.255.255.0
$

Alternatively, the prefix length can be used here again instead of the netmask (255.255.255.0):

$ hmc rmfirewall hmc01 RMC eth0 192.168.17.0/24
$

Rules for IPv6 cannot specify a netmask, only a prefix length can be specified. The default prefix length is then 128.

Which rules are currently configured on an HMC can be displayed using the “hmc lsfirewall” command. If new rules are to be added, this can be done with the “hmc addfirewall” command.