RE: [External] RE: PV access stopped by the firewall CentOS 9 Stream

["Leblanc, Gregory via Tech-talk" <tech-talk at aps.anl.gov>]

Thanks, this matches with what Kay sent me on Friday.  Apparently I stared at those screens so long I couldn't read them anymore.  Looks like it's all working now.
     Greg

> -----Original Message-----
> From: Žiga Oven <ziga.oven at cosylab.com>
> Sent: Monday, April 24, 2023 2:45 AM
> To: Leblanc, Gregory <leblanc at ohio.edu>; tech-talk at aps.anl.gov
> Subject: [External] RE: PV access stopped by the firewall CentOS 9 Stream
> 
> Use caution with links and attachments.
> 
> Hi Greg,
> 
> The PVAccess uses ports 5075 and 5076 for its operation (you can also see that in
> your output of the ss command).
> 
> If you add the ports 5075 and 5076 to your firewall rules, I think it should work.
> 
> Best regards,
> 
> Žiga
> 
> > -----Original Message-----
> > From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Leblanc,
> > Gregory via Tech-talk
> > Sent: Friday, April 21, 2023 10:09 PM
> > To: tech-talk at aps.anl.gov
> > Subject: PV access stopped by the firewall CentOS 9 Stream
> >
> > Caution: This email originated from outside of Cosylab.
> >
> >
> > Hi folks,
> >
> > I've just installed CentOS 9 stream on a new machine here, then added
> > on epics-base, calc, asyn, and StreamDevice from git.  I've also
> > installed my work in progress for the Keysight 34980A mainframes,
> > which speak SCPI.  All the EPICS bits work, but there's something
> > screwy with the firewall.  When I do " $ pvget
> > KS_34980A_EPICStestswitcherMagnetCurrent" it times out in 5 seconds.
> > "$ caget KS_34980A_EPICStestswitcherMagnetCurrent" works just fine.  I
> > can turn the firewall off ($ sudo systemctl stop firewalld) and then
> > pvget works fine.  I added ports 5064 and 5065 in both TCP and UDP to the
> rules for the firewall, but that didn't seem to help.
> >
> > Firewall rules:
> > $ sudo firewallcmd --list-all
> > [sudo] password for leblanc:
> > sudo: firewallcmd: command not found
> > [leblanc@epics1 ~]$ sudo firewall-cmd --list-all public (active)
> >   target: default
> >   icmp-block-inversion: no
> >   interfaces: enp1s0
> >   sources:
> >   services: cockpit dhcpv6-client ssh
> >   ports: 5064/tcp 5065/tcp 5064/udp 5065/udp
> >   protocols:
> >   forward: yes
> >   masquerade: no
> >   forward-ports:
> >   source-ports:
> >   icmp-blocks:
> >   rich rules:
> >
> > I also used ss to see what ports pvget was trying to use
> >
> > $ ss -antup |grep pvget
> > udp   UNCONN 0      0                0.0.0.0:45383      0.0.0.0:*
> > users:(("pvget",pid=49094,fd=3))
> > udp   UNCONN 0      0            224.0.0.128:5076       0.0.0.0:*
> > users:(("pvget",pid=49094,fd=6))
> > udp   UNCONN 0      0           10.0.255.255:5076       0.0.0.0:*
> > users:(("pvget",pid=49094,fd=5))
> > udp   UNCONN 0      0             10.0.0.239:5076       0.0.0.0:*
> > users:(("pvget",pid=49094,fd=4))
> >
> > I'm not sure what else to try at this point.  Any pointers appreciated.
> >     Greg
> >
> > --
> > Gregory Leblanc
> > Accelerator Engineer
> > Edwards Accelerator Lab - Ohio University
> > 123 University Terrace
> > Athens, OH 45701 USA
> > leblanc at ohio.edu
> > M: (401) 52-OUAL1 or (401) 526-8251