From owner-freebsd-questions@FreeBSD.ORG Thu Mar 3 00:47:06 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D974106566B for ; Thu, 3 Mar 2011 00:47:06 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id E2C608FC08 for ; Thu, 3 Mar 2011 00:47:05 +0000 (UTC) Received: by vxc34 with SMTP id 34so647840vxc.13 for ; Wed, 02 Mar 2011 16:47:05 -0800 (PST) Received: by 10.52.97.233 with SMTP id ed9mr751428vdb.269.1299113225124; Wed, 02 Mar 2011 16:47:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.220.42.67 with HTTP; Wed, 2 Mar 2011 16:46:35 -0800 (PST) In-Reply-To: References: <4D6E6B16.7010508@my.gd> From: Maxim Khitrov Date: Wed, 2 Mar 2011 19:46:35 -0500 Message-ID: To: Nerius Landys Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: David Brodbeck , freebsd-questions@freebsd.org Subject: Re: Finish upgrading remote server without physically being there? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2011 00:47:06 -0000 On Wed, Mar 2, 2011 at 7:10 PM, Nerius Landys wrote: >> I just got a new Supermicro Atom board a few days ago (X7SPA-HF-D525). >> It has a Nuvoton BMC chip that is attached to LAN1 and provides IPMI >> and KVM-over-IP functionality. The chip gets its own IP address >> (separate from em0 in FreeBSD) and is powered whenever the power cord >> is plugged-in. >> >> As a result, you have some really useful functionality such as power >> control (turn the server on/off remotely), access to sensors (MB & CPU >> temperatures, voltages, chassis intrusion), text console, and KVM >> console. >> >> KVM console is accessed using a Java application that has to be >> installed on the client. It's pretty much identical to having a >> physical monitor and keyboard attached, in that you can control the >> system from the moment that it turns on, including going into BIOS. >> The only glitch I found so far is that the connection freezes for a >> few seconds while FreeBSD initializes em0 during boot. After that >> everything is fine. > > That's really neat. =C2=A0How do you configure the LAN on that chip? =C2= =A0For > example, how do you specify the IP address, gateway, netmask, etc? =C2=A0= Is > this done in the BIOS? =C2=A0So you would normally have at least 2 IPs fo= r > the server - one for em0 and one for the special chip? =C2=A0Is this a > separate ethernet jack? =C2=A0Also, what about being more vulnerable - I > mean, it's an added way of compromising your system, right? =C2=A0Getting > in through the KVM-over-IP? The initial IP configuration is done through the BIOS. After that, you can using the IPMI View application to change the network settings remotely. The physical Ethernet jack is the same as em0, so yes, it has two separate IPs assigned to it, though the OS is only aware of one. There are some other implementations (e.g. Dell's iDRAC 6 enterprise) where the management interface is physically separate. On this Supermicro board, the interface supports VLAN tagging, so you can use that to achieve some separation. Otherwise, you're right about vulnerability. You have username/password authentication and the session is encrypted using aes-cbc-128 cipher. Even with this, I wouldn't feel comfortable exposing this port to the outside world. As it happens, this system will be my new firewall, so em0 will be my lan and em1 is wan. - Max