Experimental Physics and Industrial Control System
Dear all,
this is to announce the availability of nf_conntrack_epics, a Linux kernel
module that implements firewall connection tracking for EPICS.
The CA reference¹ suggest to add a rule
-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
which effectively means to completely open UDP to the host since the source
port can easily be chosen by an attacker.
To circumvent this, I have implemented a connection tracking module that
dynamically only opens the minimal number of ports required.
For EPICS CA clients, just loading this module is enough.
For EPICS CA servers, unconditionally opening port 5064, TCP and UDP, is
also required.
We are running this module in a production environment based on SL7 already.
The downside of this module is that unsolicited broadcast packets cannot be
seen without further configuration.
The code is available from
https://github.com/sus-ziti-uni-hd/nf_conntrack_epics .
Best regards,
Michael
¹ http://www.aps.anl.gov/epics/base/R3-14/12-docs/CAref.html#firewall
--
Dr. Michael Ritzert Tel: +49 621 181 2883
Schaltungstechnik und Simulation Fax: +49 621 181 2734
Technische Informatik, Uni Heidelberg [email protected]
68131 Mannheim, Germany http://sus.ziti.uni-heidelberg.de
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Navigate by Date:
- Prev:
CSS WebOPI Vishnu Patel
- Next:
Re: EPICS 7 Release Candidate 1 Mark Rivers
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
<2017>
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: CSS WebOPI Kasemir, Kay
- Next:
Recommendations for EPICS Based Data Acquisition System Matt Rippa
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
<2017>
2018
2019
2020
2021
2022
2023
2024