Experimental Physics and
Industrial Control System

Gabriel Fedel via Tech-talk <tech-talk at aps.anl.gov> · Tue, 25 Feb 2020 10:50:27 +0100

Hi Abdalla,

Thank for the reference.

But I think even using this script the firewall will block the other

IOCs to send data to the client, will not?

Best Regards

On 2/25/20 8:53 AM, Abdalla Ahmad wrote:

Hi Gabriel

You are right. In the case of multiple IOCs, each IOC other than the first one to run will get a random port number. See this link by Ralph https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host where you create a Network manager dispatcher script where it broadcasts UDP traffic to all processes.

Best Regards,
Abdalla.

-----Original Message-----
From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Gabriel Fedel via Tech-talk
Sent: Monday, February 24, 2020 6:33 PM
To: tech-talk at aps.anl.gov
Subject: Re: firewalld configuration for EPICS?

Hi all,

I'm doing some tests with firewalld configuration, using yours examples, but I think they will not work if there are more than 1 IOC running on same machine, right?

Because the port for the other IOCs to transfer data will be other then the 5064/5065 for CA (and 5076/5077 for PVAccess).

Is my understanding correct?

Is there some alternative for these cases?

Best Regards
On 2/24/20 1:27 PM, Jörn Dreyer via Tech-talk wrote:

Hi,

I have the following content in an XML file under
/etc/firewalld/services/EPICSChannelAccess.xml

<?xml version="1.0" encoding="utf-8"?> <service>
   <short>EPICS Channel Access service</short>
   <port port="ca-1" protocol="tcp"/>
   <port port="ca-1" protocol="udp"/>
   <port port="ca-2" protocol="tcp"/>
   <port port="ca-2" protocol="udp"/>
   <source-port port="ca-1" protocol="tcp"/>
   <source-port port="ca-1" protocol="udp"/>
   <source-port port="ca-2" protocol="tcp"/>
   <source-port port="ca-2" protocol="udp"/> </service>

But this requres a link o be set on my system from /usr/etc/services
to /etc/services. Somehow firewalld under OpenSuSE Tumbleweed does not
yet honor the new path to this file. But if you replace the symbolic
port names to the corresponding numbers it also works.

Regards,

Jörn

Am Montag, 24. Februar 2020, 14:09:57 CET schrieb Goetz Pfeiffer via
Tech-talk:

  > On 4/3/19 11:51 AM, Dirk Zimoch via Tech-talk wrote:

  > > Hi

  > >

  > > Does anyone already have a firewalld configuration to allow
Channel

  > > Access? I.e. something like a
/usr/lib/firewalld/services/epics.xml
file?

  > >

  > > Dirk

  >

  > Hello Dirk,

  >

  > I just struggled with firewalld in order to make EPICS clients and
servers

  > work and I found this solution for the command line:

  >

  > Settings for EPICS clients:

  >

  >   firewall-cmd --add-rich-rule="rule source-port port=5064
protocol=tcp

  > accept" firewall-cmd --add-rich-rule="rule source-port port=5064

  > protocol=udp accept" firewall-cmd --add-rich-rule="rule source-port

  > port=5065 protocol=tcp accept" firewall-cmd --add-rich-rule="rule

  > source-port port=5065 protocol=udp accept"

  >

  > Additional settings for EPICS servers:

  >

  >   firewall-cmd --add-rich-rule="rule port port=5064 protocol=tcp accept"

  >   firewall-cmd --add-rich-rule="rule port port=5064 protocol=udp accept"

  >   firewall-cmd --add-rich-rule="rule port port=5065 protocol=tcp accept"

  >   firewall-cmd --add-rich-rule="rule port port=5065 protocol=udp accept"

  >

  > Make changes permanent:

  >

  >   firewall-cmd --runtime-to-permanent

  >

  > Greetings

  >

  >   Goetz

--
Gabriel Fedel

--
Gabriel Fedel

Ship 8, Floor 2.
EPICS Integrator
Integrated Control System Division
The European Spallation Souce
Odarslövsvägen 113
224 84 Lund

mobile Sweden: 0723356030
mobile International: +46723356030

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System