Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019  2020  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019  2020 
<== Date ==> <== Thread ==>

Subject: RE: iptables example script for EPICS CA
From: "Hill, Jeff" <johill@lanl.gov>
To: Benjamin Franksen <benjamin.franksen@helmholtz-berlin.de>, "tech-talk@aps.anl.gov" <tech-talk@aps.anl.gov>
Date: Mon, 2 Jul 2012 15:02:05 +0000
Sounds like a good idea. I created this bug entry.

https://bugs.launchpad.net/epics-base/+bug/1020131

> -----Original Message-----
> From: tech-talk-bounces@aps.anl.gov [mailto:tech-talk-bounces@aps.anl.gov]
> On Behalf Of Benjamin Franksen
> Sent: Monday, July 02, 2012 7:25 AM
> To: tech-talk@aps.anl.gov
> Subject: Re: iptables example script for EPICS CA
> 
> On Friday, June 29, 2012, John William Sinclair wrote:
> > Here's a previous submission:
> >
> > ---------------------------------
> >
> > Thanks to input from Jeff Hill, Ralph Lange, and Andrew Johnson I think
> > that the following is an accurate description of the firewall settings
> > needed to support channel access.
> >
> > ====================================================================
> > If you want channel access clients on a machine to be able to see
> beacons
> > and replies to broadcast PV search requests you need to permit inbound
> > UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064) or
> > destination port EPICS_CA_REPEATER_PORT (default is 5065).  On systems
> > using iptables this can be accomplished by rules like
> > 	-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
> > 	-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT
> >
> > If you want channel access servers (e.g. "soft IOCs") on a machine to be
> > able to see clients you need to permit inbound TCP or UDP packets with
> > source port EPICS_CA_SERVER_PORT (default is 5064).  On systems using
> > iptables this can be accomplished by rules like
> > 	-A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT
> > 	-A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT
> >
> > The above sets of rules are complete assuming that there's no blocking
> of
> > outbound traffic.
> >
> > In all cases the "-s 192.168.0.0/22" specifies the range of addresses
> > from which you wish to accept packets.
> > ====================================================================
> 
> How about adding this text to the CA reference manual (possibly in an
> appendix)?
> 
> Cheers
> Ben


References:
iptables example script for EPICS CA Mark Rivers
Re: iptables example script for EPICS CA John William Sinclair
Re: iptables example script for EPICS CA Benjamin Franksen

Navigate by Date:
Prev: Re: iptables example script for EPICS CA Andrew Johnson
Next: scan save data problem Chen Xue
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019  2020 
Navigate by Thread:
Prev: Re: iptables example script for EPICS CA Benjamin Franksen
Next: Vxworks NFS issue Chen Xue
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  <20122013  2014  2015  2016  2017  2018  2019  2020 
ANJ, 18 Nov 2013 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·