Experimental Physics and
Industrial Control System
| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | Re: firewalld configuration for EPICS? |
| From: | Goetz Pfeiffer via Tech-talk <[email protected]> |
| To: | Benjamin Franksen <[email protected]>, <[email protected]> |
| Date: | Tue, 9 Apr 2019 15:26:26 +0200 |
On 4/8/19 5:28 PM, Benjamin Franksen via Tech-talk wrote: > Am 05.04.19 um 14:28 schrieb Dirk Zimoch via Tech-talk: >> I Installed it (without ca-2/tcp) and it work fine. > We found that such firewall rules do not work well in combination with > multiple soft IOCs on Linux. The problem is that for multiple CA servers > on the same machine to work as expected, it is necessary to add certain > iptables rules (see > https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host) > that convert incoming UDP unicasts (name resolution requests) to > broadcasts, internally. Unicasts will be sent when the client sets > EPICS_CA_ADDR_LIST to request a specific server. > > The iptables solution is quite elegant but has an unfortunate > side-effect: the source port of the response packets will be re-written > to some randomly chosen ephemeral port. We found with wireshark that the source port of the package is changed form 5064 to 1024 and above. > And that port doesn't match the > ports configured for the firewall, so the firewall doesn't let them > through. It is hard to find documentation for this behavior of iptables > on the internet. The keyword here is "implicit source port mapping". > > We have been thinking about this problem for a while. I think the only > clean solution is for EPICS to offer something similar to the already > existing caRepeater, only for the server side. Let me call this thing > the "casRepeater". Similar to the CA client with the caRepeater, each CA > server would on startup try to locate a running instance of the > casRepeater, or else start a new one, then register with it. The task of > the casRepeater is to listen on port 5065 for unicasts and then forward > them to all registered CA servers. Just a small correction, you usually would the casRepeater listen on port 5064, this is the one used for CA name resolution requests. > > Cheers > Ben > A similar discussion can be found in the core talk archives here: https://epics.anl.gov/core-talk/2017/msg00297.php Greetings, Goetz
Attachment:
signature.asc
Description: OpenPGP digital signature
- References:
- firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Jörn Dreyer via Tech-talk
- Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Navigate by Date:
- Prev: Re: asynMotor device support and the motor specific driver (asynMotorContorller) Allan Serra Braga Bugyi via Tech-talk
- Next: Re: drvAsynIPPortConfigure and I/O Intr with asynRecord possible? Dirk Zimoch via Tech-talk
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024
- Navigate by Thread:
- Prev: Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Next: Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·