Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019 
<== Date ==> <== Thread ==>

Subject: Re: iptables example script for EPICS CA
From: John William Sinclair <sinclairjw@ornl.gov>
To: tech-talk@aps.anl.gov
Date: Fri, 29 Jun 2012 09:44:03 -0400
Here's a previous submission:

---------------------------------

Thanks to input from Jeff Hill, Ralph Lange, and Andrew Johnson I think that the
following is an accurate description of the firewall settings needed to support
channel access.

====================================================================
If you want channel access clients on a machine to be able to see beacons and
replies to broadcast PV search requests you need to permit inbound UDP packets
with source port EPICS_CA_SERVER_PORT (default is 5064) or destination port
EPICS_CA_REPEATER_PORT (default is 5065).  On systems using iptables this can be
accomplished by rules like
	-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
	-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT

If you want channel access servers (e.g. "soft IOCs") on a machine to be able to
see clients you need to permit inbound TCP or UDP packets with source port
EPICS_CA_SERVER_PORT (default is 5064).  On systems using iptables this can be
accomplished by rules like
	-A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT
	-A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT

The above sets of rules are complete assuming that there's no blocking of
outbound traffic.

In all cases the "-s 192.168.0.0/22" specifies the range of addresses from which
you wish to accept packets.
====================================================================



On 06/29/2012 08:32 AM, Mark Rivers wrote:
Folks,

I am trying to help someone who is new to EPICS get it running on a Linux host that needs to run the iptables firewall.  He needs to run both a soft IOC and EPICS clients on this machine.  He's having trouble configuring the iptables firewall correctlly.  If he disables iptables things work fine, but with it enabled EPICS does not work.

Can someone send an example of an iptables script that allows CA to run on the default ports of 5064 and 5065, UDP and TCP?

Thanks,
Mark




Replies:
Re: iptables example script for EPICS CA Benjamin Franksen
References:
iptables example script for EPICS CA Mark Rivers

Navigate by Date:
Prev: Re: SynApps build error : win32-x86 Brands Helge
Next: Re: ethernet-based Gamma ion pump controller (mpc) Wesley Moore
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019 
Navigate by Thread:
Prev: iptables example script for EPICS CA Mark Rivers
Next: Re: iptables example script for EPICS CA Benjamin Franksen
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019 
ANJ, 18 Nov 2013 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·