Under Construction

hmc rmfirewall

Available: from

Firewall rules on an HMC can be removed with the command “hmc rmfirewall”.

   rmfirewall [-v] <hmc> <service> [<interface>] <IP>[/<prefixlen>] [<netmask>]

Only existing firewall rules can be removed.

In addition to the HMC, one of the IBM supported services and at least one IP address must be specified.

Services supported by IBM are the following:

    •    ssh – Secure Shell
    •    SecureRemoteAccess – Secure Remote Access
    •    RMC – Resource Monitoring and Control (LPM, DLPAR)
    •    FCS – HMC to HMC communication
    •    i5250 – 5250 Remote Console
    •    ping – ICMP echo
    •    ntp – Network Time Protocol
    •    SLP – SLP
    •    RPD – RPD
    •    snmptrap – SNMP traps
    •    snmpagent – SNMP agent

Note: Depending on the HMC version, additional services may be supported. The official IBM documentation should be consulted.

If there is a rule for multiple interfaces, by specifying an interface the rule can be removed for only that interface, or by omitting the specification of an interface, the rule can be removed for all interfaces.

Rules for IPv4 and IPv6 can be removed.

Below are some examples that illustrate the different options. It should be noted that the information provided, such as interface, IP address, service and netmask, is used to match an existing rule. Only if such a rule exists can it be removed with the command. All of the following examples assume that the corresponding rule currently exists!

To remove the rule that allows SSH connections from the IP address (source IP) to the HMC hmc01 via the interface eth0:

$ hmc rmfirewall hmc01 ssh eth0

Note: There is no netmask and no prefix length specified, the default is then a netmask of for IPv4 addresses and therefore only the specified IP address.

To remove the rules that allow ping (ICMP) from any IP address on any interface of the HMC hmc01:

$ hmc rmfirewall hmc01 ping

Alternatively, instead of the network mask, the prefix length can also be specified together with the IP address:

$ hmc rmfirewall hmc01 ping

To remove the rule that allows RMC from the network on the interface eth0:

$ hmc rmfirewall hmc01 RMC eth0

Alternatively, the prefix length can be used here again instead of the netmask (

$ hmc rmfirewall hmc01 RMC eth0

Rules for IPv6 cannot specify a netmask, only a prefix length can be specified. The default prefix length is then 128.

Which rules are currently configured on an HMC can be displayed using the “hmc lsfirewall” command. If new rules are to be added, this can be done with the “hmc addfirewall” command.