Re: Firewall (iptables) issues?

[Eric Norum <wenorum@lbl.gov>]

I don't understand.  The rules that I presented are for inbound packets.   I explicitly noted that they are sufficient only under the assumption that outbound packets are not filtered.

The first rule

-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT

takes care of incoming responses to PV search requests.

The second rule

-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT

takes care of incoming beacons.

As far as I can tell, and as far as my empirical tests showed, these are sufficient to allow clients to operate on a firewalled machine.

Could you clarify as to what you feel I've missed?

On Nov 5, 2010, at 3:14 PM, Jeff Hill wrote:

Hi Eric,

If you want channel access clients on a machine to be able to see

replies to broadcast PV search requests you need to permit inbound

UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064)

The server always replies sending to the source address found in the udp
frame containing the client's search request. Since the client library's
UDP socket is locally bound to an ephemeral (dynamically assigned) port
number, and that will be its source address when sending udp search frames,
then it's probably not strictly accurate to say that the firewall can permit
these responses by opening up port EPICS_CA_SERVER_PORT (default is 5064).

I seem to recall that certain stateful firewall implementations remember
the source address of outbound udp frames and, for some amount of time
afterwards, transparently permit udp replies returning to that same
address.

-- 
Eric Norum
wenorum@lbl.gov