On 4/8/19 5:28 PM, Benjamin Franksen via Tech-talk wrote:
> Am 05.04.19 um 14:28 schrieb Dirk Zimoch via Tech-talk:
>> I Installed it (without ca-2/tcp) and it work fine.
> We found that such firewall rules do not work well in combination with
> multiple soft IOCs on Linux. The problem is that for multiple CA servers
> on the same machine to work as expected, it is necessary to add certain
> iptables rules (see
> https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host)
> that convert incoming UDP unicasts (name resolution requests) to
> broadcasts, internally. Unicasts will be sent when the client sets
> EPICS_CA_ADDR_LIST to request a specific server.
>
> The iptables solution is quite elegant but has an unfortunate
> side-effect: the source port of the response packets will be re-written
> to some randomly chosen ephemeral port.
We found with wireshark that the source port of the package is changed form 5064 to 1024
and above.
> And that port doesn't match the
> ports configured for the firewall, so the firewall doesn't let them
> through. It is hard to find documentation for this behavior of iptables
> on the internet. The keyword here is "implicit source port mapping".
>
> We have been thinking about this problem for a while. I think the only
> clean solution is for EPICS to offer something similar to the already
> existing caRepeater, only for the server side. Let me call this thing
> the "casRepeater". Similar to the CA client with the caRepeater, each CA
> server would on startup try to locate a running instance of the
> casRepeater, or else start a new one, then register with it. The task of
> the casRepeater is to listen on port 5065 for unicasts and then forward
> them to all registered CA servers.
Just a small correction, you usually would the casRepeater listen on port 5064, this
is the one used for CA name resolution requests.
>
> Cheers
> Ben
>
A similar discussion can be found in the core talk archives here:
https://epics.anl.gov/core-talk/2017/msg00297.php
Greetings,
Goetz
Attachment:
signature.asc
Description: OpenPGP digital signature
- References:
- firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Jörn Dreyer via Tech-talk
- Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Navigate by Date:
- Prev:
Re: asynMotor device support and the motor specific driver (asynMotorContorller) Allan Serra Braga Bugyi via Tech-talk
- Next:
Re: drvAsynIPPortConfigure and I/O Intr with asynRecord possible? Dirk Zimoch via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Next:
Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
|