Thanks to input from Jeff Hill, Ralph Lange, and Andrew Johnson I think that the following is an accurate description of the firewall settings needed to support channel access.
====================================================================
If you want channel access clients on a machine to be able to see beacons and replies to broadcast PV search requests you need to permit inbound UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064) or destination port EPICS_CA_REPEATER_PORT (default is 5065). On systems using iptables this can be accomplished by rules like
-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT
If you want channel access servers (e.g. "soft IOCs") on a machine to be able to see clients you need to permit inbound TCP or UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064). On systems using iptables this can be accomplished by rules like
-A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT
-A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT
The above sets of rules are complete assuming that there's no blocking of outbound traffic.
In all cases the "-s 192.168.0.0/22" specifies the range of addresses from which you wish to accept packets.
====================================================================
