EPICS Home

Experimental Physics and Industrial Control System


 
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <20242025  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <20242025 
<== Date ==> <== Thread ==>
Subject: RE: firewalld configuration for EPICS?
From: Freddie Akeroyd - STFC UKRI via Tech-talk <tech-talk at aps.anl.gov>
To: 'Mark Rivers' <rivers at cars.uchicago.edu>, EPICS Tech Talk <tech-talk at aps.anl.gov>
Date: Mon, 3 Jun 2024 23:42:14 +0000

Hi Mark,

 

I suspect the issue is the other IOCs are not listening on TCP port 5064 but have been allocated an ephemeral port number that can change each time they are stated, so clients can’t make a TCP connection to these IOCs as they are blocked by the firewall. If that is the case then options might be:

 

  • Set EPICS_CAS_SERVER_PORT to something different for each ioc, and add these ports to your firewall (you’d need to be sure nothing else would even use the addresses you choose)
  • Run all the IOCS on e.g. only 127.0.0.1 loopback (via EPICS_CAS_INTF_ADDR_LIST) and run a gateway as the only thing listening on port 5064 on the firewalled network interface
  • Maybe a new EPICS base option like EPICS_CAS_SERVER_PORT_RANGE could be added, this will specify a port range the IOC should try if its original EPICS_CAS_SERVER_PORT is in use and would then allow pre-adding the  EPICS_CAS_SERVER_PORT_RANGE  block of ports to a firewall

 

Regards,

 

Freddie

  

 

From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Mark Rivers via Tech-talk
Sent: Tuesday, June 4, 2024 12:04 AM
To: EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: RE: firewalld configuration for EPICS?

 

Folks,

 

 

I have now empirically answered that question, and it is NOT sufficient to implement the firewall rules documented in the CA Reference Manual.  When I do that, I can only connect to the first IOC I start.

 

Is there a recipe for configuring the firewall when multiple IOCs are running on that Linux machine?  I can access all IOCs from CA clients running on that same machine, but not from clients running on other machines.

 

Thanks,

Mark

 

 

From: Mark Rivers
Sent: Monday, June 3, 2024 3:26 PM
To: EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: RE: firewalld configuration for EPICS?

 

Folks,

 

We would like to start to enable the firewalls on our Linux machines that are running Linux IOCs and clients.

 

The only “official” documentation I can find is the most recent CA Reference Manual:

https://epics.anl.gov/base/R7-0/8-docs/CAref.html#firewall

 

And in “How to Configure Channel Access”:

https://epics-controls.org/resources-and-support/documents/howto-documents/configure-channel-access/#Firewalls

 

Both of these are very terse, and do not explicitly discuss the case of multiple IOCs on a Linux server.

 

The tech-talk thread I am responding to did not reach a clear conclusion and recommendation.

 

My configuration is as follows:

  • RHEL 9 servers running multiple IOCs
  • All clients are either on that server or other machines on the same subnet.  Thus, CA searches can simply use broadcasts, and we don’t need to use the IP Tables mechanism.

 

Is it sufficient to follow these instructions?

https://epics-controls.org/resources-and-support/documents/howto-documents/configure-channel-access/#Firewalls

 

Or do the multiple IOCs require additional complexity?

 

Thanks,

Mark

 

 

From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Ralph Lange via Tech-talk
Sent: Friday, February 28, 2020 4:26 AM
To: EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: Re: firewalld configuration for EPICS?

 

Small note:

 

On Mon, 24 Feb 2020 at 14:10, Goetz Pfeiffer via Tech-talk <tech-talk at aps.anl.gov> wrote:

Settings for EPICS clients:

  firewall-cmd --add-rich-rule="rule source-port port=5064 protocol=tcp accept"
  firewall-cmd --add-rich-rule="rule source-port port=5064 protocol=udp accept"
  firewall-cmd --add-rich-rule="rule source-port port=5065 protocol=tcp accept"
  firewall-cmd --add-rich-rule="rule source-port port=5065 protocol=udp accept"

Additional settings for EPICS servers:

  firewall-cmd --add-rich-rule="rule port port=5064 protocol=tcp accept"
  firewall-cmd --add-rich-rule="rule port port=5064 protocol=udp accept"
  firewall-cmd --add-rich-rule="rule port port=5065 protocol=tcp accept"
  firewall-cmd --add-rich-rule="rule port port=5065 protocol=udp accept"

 

Channel Access does not use TCP on the beacon port (aka CA_REPEATER_PORT, ca-2, 5065). Opening it does no harm, but is not needed.

 

Cheers,
~Ralph

 

Replies:
Re: firewalld configuration for EPICS? Gerrit Kühn via Tech-talk
References:
RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk
RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk
Navigate by Date:
Prev: RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk
Next: Required Perl modules? John Dobbins via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <20242025 
Navigate by Thread:
Prev: RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk
Next: Re: firewalld configuration for EPICS? Gerrit Kühn via Tech-talk
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  <20242025