1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024 |
<== Date ==> | <== Thread ==> |
---|
Subject: | Re: firewalld configuration for EPICS? |
From: | Dirk Zimoch via Tech-talk <[email protected]> |
To: | <[email protected]> |
Date: | Wed, 10 Apr 2019 11:00:45 +0200 |
But I found a way to dynamically open and close used TCP server ports. I wrote this script "open_firewall.sh": ---------------------------- #!/bin/bash SERVERPID=$PPID TCPPORTS=$(netstat -tlpn | awk -F '[ :]+' "/ $SERVERPID\//"'{print $5}') for port in $TCPPORTS do firewall-cmd -q --add-port=$port/tcp done { close_ports () { for port in $TCPPORTS do firewall-cmd -q --remove-port=$port/tcp done } trap close_ports EXIT while [ -d /proc/$SERVERPID ] do sleep 10 done }& ---------------------------- In the IOC after iocInit I call: system open_firewall.shThis opens all TCP ports in the firewall where the IOC installed a server, including CA and PVA server ports.
When the IOC exits, the ports are closed automatically, even when the IOC crashes or gets killed with -9.
Example starting a second EPICS 7 IOC: Starting iocInit ############################################################################ ## EPICS R7.0.1.2-DEV-2018-10 ## EPICS Base built Oct 31 2018 ############################################################################ cas warning: Configured TCP port was unavailable. cas warning: Using dynamically assigned TCP port 39673, cas warning: but now two or more servers share the same UDP port. cas warning: Depending on your IP kernel this server may not be cas warning: reachable with UDP unicast (a host's IP in EPICS_CA_ADDR_LIST) iocRun: All initialization complete 2019-04-10T11:51:51.582 Using dynamically assigned TCP port 52773. system open_firewall.sh epics> system "firewall-cmd --list-ports" 5064/tcp 5075/tcp 52773/tcp 39673/tcp epics> exit Terminated # firewall-cmd --list-ports 5064/tcp 5075/tcpThe script should work with any (Linux) server, not only EPICS IOCs, which opens all server ports at startup. It simply uses the parent process id to look for open ports. Of course bash, netstat, awk and firewall-cmd must be installed and /proc must be mounted.
Dirk On 09.04.19 19:03, Benjamin Franksen via Tech-talk wrote:
Am 09.04.19 um 17:18 schrieb Dirk Zimoch via Tech-talk:I had not thought of the multiple IOC problem. In this case it is a Fedora Linux VME IOC. Unlikely to run multiple IOCs but not impossible. I tried it and naively accessing records on IOC 2 does not work when the firewall is up. I get 'CAC: Unable to connect because "No route to host"' on the client (caget) even when using the broadcast address.Ah, I didn't understand that you were talking about firewall on the machine that runs the IOC(s). My remark was about firewall on the CA client. Anyway, I thought that services such as a web server use dynamically assigned (ephemeral) ports for the actual data exchange and the well-known port only to initiate communication. I guess a firewall can be configured to allow connections to a web server, so shouldn't it be possible to do the same for (multiple) IOCs? Cheers Ben