I could open all ephemeral ports, but that's a lot. And it's not what
local firewalls typically do.
But I found a way to dynamically open and close used TCP server ports.
I wrote this script "open_firewall.sh":
----------------------------
#!/bin/bash
SERVERPID=$PPID
TCPPORTS=$(netstat -tlpn | awk -F '[ :]+' "/ $SERVERPID\//"'{print $5}')
for port in $TCPPORTS
do firewall-cmd -q --add-port=$port/tcp
done
{
close_ports () {
for port in $TCPPORTS
do firewall-cmd -q --remove-port=$port/tcp
done
}
trap close_ports EXIT
while [ -d /proc/$SERVERPID ]
do sleep 10
done
}&
----------------------------
In the IOC after iocInit I call: system open_firewall.sh
This opens all TCP ports in the firewall where the IOC installed a
server, including CA and PVA server ports.
When the IOC exits, the ports are closed automatically, even when the
IOC crashes or gets killed with -9.
Example starting a second EPICS 7 IOC:
Starting iocInit
############################################################################
## EPICS R7.0.1.2-DEV-2018-10
## EPICS Base built Oct 31 2018
############################################################################
cas warning: Configured TCP port was unavailable.
cas warning: Using dynamically assigned TCP port 39673,
cas warning: but now two or more servers share the same UDP port.
cas warning: Depending on your IP kernel this server may not be
cas warning: reachable with UDP unicast (a host's IP in EPICS_CA_ADDR_LIST)
iocRun: All initialization complete
2019-04-10T11:51:51.582 Using dynamically assigned TCP port 52773.
system open_firewall.sh
epics> system "firewall-cmd --list-ports"
5064/tcp 5075/tcp 52773/tcp 39673/tcp
epics> exit
Terminated
# firewall-cmd --list-ports
5064/tcp 5075/tcp
The script should work with any (Linux) server, not only EPICS IOCs,
which opens all server ports at startup. It simply uses the parent
process id to look for open ports. Of course bash, netstat, awk and
firewall-cmd must be installed and /proc must be mounted.
Dirk
On 09.04.19 19:03, Benjamin Franksen via Tech-talk wrote:
Am 09.04.19 um 17:18 schrieb Dirk Zimoch via Tech-talk:
I had not thought of the multiple IOC problem. In this case it is a
Fedora Linux VME IOC. Unlikely to run multiple IOCs but not impossible.
I tried it and naively accessing records on IOC 2 does not work when the
firewall is up. I get 'CAC: Unable to connect because "No route to
host"' on the client (caget) even when using the broadcast address.
Ah, I didn't understand that you were talking about firewall on the
machine that runs the IOC(s). My remark was about firewall on the CA client.
Anyway, I thought that services such as a web server use dynamically
assigned (ephemeral) ports for the actual data exchange and the
well-known port only to initiate communication. I guess a firewall can
be configured to allow connections to a web server, so shouldn't it be
possible to do the same for (multiple) IOCs?
Cheers
Ben
- Replies:
- Re: firewalld configuration for EPICS? Hu, Yong via Tech-talk
- References:
- firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Jörn Dreyer via Tech-talk
- Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Re: firewalld configuration for EPICS? Dirk Zimoch via Tech-talk
- Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Navigate by Date:
- Prev:
Data logging VASU PADSUMBIA via Tech-talk
- Next:
Re: limit switch fields in the motor record Davis, Mark via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: firewalld configuration for EPICS? Benjamin Franksen via Tech-talk
- Next:
Re: firewalld configuration for EPICS? Hu, Yong via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
|