The primary point of IPMI for most users is to be able to administer and control the box when it's not running. Using the host itself as a firewall is the quickest way to get that BMC online, but it kinda defeats the purpose.
On Thu, Aug 15, 2013 at 7:46 PM, Jay Ashworth <j...@baylink.com> wrote: > ----- Original Message ----- > > From: "Brandon Martin" <lists.na...@monmotha.net> > > > As to why people wouldn't put them behind dedicated firewalls, imagine > > something like a single-server colo scenario. Most such providers don't > > offer any form of lights-out management aside from maybe remote reboot > > (power-cycle) nor do they offer any form of protected/secondary network > > to their customers. So, if you want to save yourself from a trip, you > > chuck the thing raw on a public IP and hope you configured it right. > > Well, *I* would firewall eth1 from eth0 and cross-over eth1 to the ILO > jack; > let the box be the firewall. Sure, it's still as breakable as the box > proper, but security-by-obscurity isn't *bad*, it's just *not good enough*. > > It's another layer of tape. > > Whether it's teflon or Gorilla is up to you. > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink > j...@baylink.com > Designer The Things I Think RFC > 2100 > Ashworth & Associates http://baylink.pitas.com 2000 Land > Rover DII > St Petersburg FL USA #natog +1 727 647 > 1274 > >
