Re: Firewall (iptables) issues?

[Eric Norum <eric@norum.ca>]

Right.
How about adding 'Additionally' at the beginning of the second paragraph?

On Nov 5, 2010, at 3:24 PM, Till Straumann wrote:

> IMO it would be prudent to recommend that a machine hosting soft-iocs
> should also open incoming traffic on the repeater port since it is
> possible that soft-iocs contain CA links and therefore are clients, too.
> (And the network administrator normally doesn't know about the IOC
> internals.)
> 
> -- T.
> 
> 
> On 11/05/2010 03:31 PM, Eric Norum wrote:
>> Thanks to input from Jeff Hill, Ralph Lange, and Andrew Johnson I think that the following is an accurate description of the firewall settings needed to support channel access.
>> 
>> ====================================================================
>> If you want channel access clients on a machine to be able to see beacons and replies to broadcast PV search requests you need to permit inbound UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064) or destination port EPICS_CA_REPEATER_PORT (default is 5065).  On systems using iptables this can be accomplished by rules like
>> 	-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
>> 	-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT
>> 
>> If you want channel access servers (e.g. "soft IOCs") on a machine to be able to see clients you need to permit inbound TCP or UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064).  On systems using iptables this can be accomplished by rules like
>> 	-A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT
>> 	-A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT
>> 
>> The above sets of rules are complete assuming that there's no blocking of outbound traffic.
>> 
>> In all cases the "-s 192.168.0.0/22" specifies the range of addresses from which you wish to accept packets.
>> ====================================================================
> 

-- 
Eric Norum
eric@norum.ca