Hi Eric,
> If you want channel access clients on a machine to be able to see
> replies to broadcast PV search requests you need to permit inbound
> UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064)
The server always replies sending to the source address found in the udp
frame containing the client's search request. Since the client library's
UDP socket is locally bound to an ephemeral (dynamically assigned) port
number, and that will be its source address when sending udp search frames,
then it's probably not strictly accurate to say that the firewall can permit
these responses by opening up port EPICS_CA_SERVER_PORT (default is 5064).
I seem to recall that certain stateful firewall implementations remember
the source address of outbound udp frames and, for some amount of time
afterwards, transparently permit udp replies returning to that same
address.
Jeff
______________________________________________________
Jeffrey O. Hill Email [email protected]
LANL MS H820 Voice 505 665 1831
Los Alamos NM 87545 USA FAX 505 665 5107
Message content: TSPA
With sufficient thrust, pigs fly just fine. However, this is
not necessarily a good idea. It is hard to be sure where they
are going to land, and it could be dangerous sitting under them
as they fly overhead. -- RFC 1925
> -----Original Message-----
> From: [email protected] [mailto:tech-talk-
> [email protected]] On Behalf Of Eric Norum
> Sent: Friday, November 05, 2010 3:31 PM
> To: EPICS Techtalk
> Subject: Re: Firewall (iptables) issues?
>
> Thanks to input from Jeff Hill, Ralph Lange, and Andrew Johnson I think
> that the following is an accurate description of the firewall settings
> needed to support channel access.
>
> ====================================================================
> If you want channel access clients on a machine to be able to see
> beacons and replies to broadcast PV search requests you need to permit
> inbound UDP packets with source port EPICS_CA_SERVER_PORT (default is
> 5064) or destination port EPICS_CA_REPEATER_PORT (default is 5065). On
> systems using iptables this can be accomplished by rules like
> -A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
> -A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT
>
> If you want channel access servers (e.g. "soft IOCs") on a machine to
> be able to see clients you need to permit inbound TCP or UDP packets
> with source port EPICS_CA_SERVER_PORT (default is 5064). On systems
> using iptables this can be accomplished by rules like
> -A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT
> -A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT
>
> The above sets of rules are complete assuming that there's no blocking
> of outbound traffic.
>
> In all cases the "-s 192.168.0.0/22" specifies the range of addresses
> from which you wish to accept packets.
> ====================================================================
> --
> Eric Norum
> [email protected]
- Replies:
- Re: Firewall (iptables) issues? Eric Norum
- References:
- Firewall (iptables) issues? Eric Norum
- Re: Firewall (iptables) issues? Ralph Lange
- Re: Firewall (iptables) issues? Eric Norum
- Navigate by Date:
- Prev:
Re: Firewall (iptables) issues? Eric Norum
- Next:
Re: Firewall (iptables) issues? Till Straumann
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
<2010>
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Firewall (iptables) issues? Eric Norum
- Next:
Re: Firewall (iptables) issues? Eric Norum
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
<2010>
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|