Dirk’s method shown below works for multiple SoftIOCs on a Linux host, the CA server side.
I guess “EPICS.xml” mentioned by Jörn is also for the firewall configuration on the CA server side.
For the CA client side, has anyone done the firewall configuration on a Linux workstation running CA clients (EDM, CS-Studio, camonitor, etc.)? As Benjamin pointed out below, I guess it is difficult to configure the firewall for CA clients
because of the dynamically assigned TCP port (CA server side) when multiple SoftIOCs running on a Linux host.
Firewall is mentioned in the CA Reference Manual [1] for the classic EPICS v3. I think the rules (only INPUT chain is concerned) in the Manual only work for the case where a single IOC runs on Linux. After looking through the CA Protocol
Specification, my observation is that the rules are not complete for a CA client while the rules for a CA server are complete. Another rule is needed “-A INPUT -s 192.168.0.0/22 -p tcp --sport 5064 -j ACCEPT” for a CA client so that the complete rules look
like below. Is my observation valid?
# rules for the CA client side:
-A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT #allow CA client to get PV search replies
-A INPUT -s 192.168.0.0/22 -p udp --dport 5065 -j ACCEPT #allow CA client to see beacons
-A INPUT -s 192.168.0.0/22 -p tcp --sport 5064 -j ACCEPT #allow CA client to get data from CA server over TCP
# rules for the CA server side:
-A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT #allow CA server to see PV search request
-A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT #allow CA server to get data from CA client over TCP
Best,
Yong
NSLS-II Controls Group
[1]
https://epics.anl.gov/base/R3-15/6-docs/CAref.html#firewall
[2]
https://epics.anl.gov/base/R3-15/6-docs/CAproto/index.html
I could open all ephemeral ports, but that's a lot. And it's not what
local firewalls typically do.
But I found a way to dynamically open and close used TCP server ports.
I wrote this script "open_firewall.sh":
----------------------------
TCPPORTS=$(netstat -tlpn | awk -F '[ :]+' "/ $SERVERPID\//"'{print $5}')
do firewall-cmd -q --add-port=$port/tcp
do firewall-cmd -q --remove-port=$port/tcp
while [ -d /proc/$SERVERPID ]
----------------------------
In the IOC after iocInit I call: system open_firewall.sh
This opens all TCP ports in the firewall where the IOC installed a
server, including CA and PVA server ports.
When the IOC exits, the ports are closed automatically, even when the
IOC crashes or gets killed with -9.
Example starting a second EPICS 7 IOC:
############################################################################
## EPICS R7.0.1.2-DEV-2018-10
## EPICS Base built Oct 31 2018
############################################################################
cas warning: Configured TCP port was unavailable.
cas warning: Using dynamically assigned TCP port 39673,
cas warning: but now two or more servers share the same UDP port.
cas warning: Depending on your IP kernel this server may not be
cas warning: reachable with UDP unicast (a host's IP in EPICS_CA_ADDR_LIST)
iocRun: All initialization complete
2019-04-10T11:51:51.582 Using dynamically assigned TCP port 52773.
epics> system "firewall-cmd --list-ports"
5064/tcp 5075/tcp 52773/tcp 39673/tcp
# firewall-cmd --list-ports
The script should work with any (Linux) server, not only EPICS IOCs,
which opens all server ports at startup. It simply uses the parent
process id to look for open ports. Of course bash, netstat, awk and
firewall-cmd must be installed and /proc must be mounted.
On 09.04.19 19:03, Benjamin Franksen via Tech-talk wrote:
Am 09.04.19 um 17:18 schrieb Dirk Zimoch via Tech-talk:
I had not thought of the multiple IOC problem. In this case it is a
Fedora Linux VME IOC. Unlikely to run multiple IOCs but not impossible.
I tried it and naively accessing records on IOC 2 does not work when the
firewall is up. I get 'CAC: Unable to connect because "No route to
host"' on the client (caget) even when using the broadcast address.
Ah, I didn't understand that you were talking about firewall on the
machine that runs the IOC(s). My remark was about firewall on the CA client.
Anyway, I thought that services such as a web server use dynamically
assigned (ephemeral) ports for the actual data exchange and the
well-known port only to initiate communication. I guess a firewall can
be configured to allow connections to a web server, so shouldn't it be
possible to do the same for (multiple) IOCs?
