Experimental Physics and
Industrial Control System

Hello Yong

 

Thanks for the tip. I disabled my windows firewall (which what prevented cainfo for some reason) and configured the NIC to trusted zone and my tests are working. Did this setup solved the case when multiple IOCs are on a host accessed from another VLAN? i.e., used in EPICS_CA_ADDR_LIST? I had to configure iptables for that: https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host

 

Best Regards,

Abdalla.

 

 

Hello Abdalla,

I remember we had this kind of problem on RHEL8 IOC servers. To fix it, we disable the firewall and iptables, then use this command (change enp11s0f1 to your actual NIC):
firewall-cmd --zone=trusted --change-interface=enp11s0f1 --permanent

Hope this helps.
Cheers,
Yong

Hi

 

I recently investigated Rocky Linux to deploy EPICS IOCs, I mainly focused on configuring the firewall (both firewall-cmd and iptables). I have tested the following cases:

• Testing one IOC on the same host: I created an IOC and ran caget on the same host as the IOC, it did not find the PV. So I thought of enabling EPICS ports using firewall-cmd and it worked.
• Testing multiple IOCs on the same host: It worked using the previous configuration.
• Testing multiple IOCs from another host on the same VLAN: It did not work until I enabled both tcp and udp protocols (using –add-protocol option) along with –complete-reload.
• Testing multiple IOCs from another host on a different VLAN: This is a very confusing one. I enabled EPICS ports, tcp and udp, now I can do caget and cainfo on PVs from the last running IOCs. When I added the UDP broadcast rule in iptables while firewalld is running, for some reason cainfo could not find the PVs but caget was working (I ran these commands from a windows 10 host). When I disabled firewalld and used iptables only, I can see the PVs on the same host, same VLAN and different VLAN.

 

Eventually, this is the configuration I used:

/usr/bin/firewall-cmd --permanent --add-port=5064/tcp

/usr/bin/firewall-cmd --permanent --add-port=5064/udp

/usr/bin/firewall-cmd --permanent --add-port=5065/tcp

/usr/bin/firewall-cmd --permanent --add-port=5065/udp

/usr/bin/firewall-cmd --permanent --add-protocol=tcp

/usr/bin/firewall-cmd --permanent --add-protocol=udp

/usr/bin/firewall-cmd –reload

 

I wonder what is the difference between RHEL 7 and 8 firewall configurations? On CentOS 7, we have firewalld running but with no configuration and we flush iptables (except for the UDP broadcast rule above). What is the best scenario here or which is better firewalld or iptables in this case? I think for some reason, firewalld does not allow UDP broadcast and I could not figure out how to do it in firewall-cmd. Any feedback is really appreciated.

 

Best Regards,

Abdalla.