Experimental Physics and
Industrial Control System

Hi Gabriel

I think that depends on how you configure firewall.d, for example we flush iptables on startup. We are using this script on each server with more than one IOC and the clients, archiver and the gateway are working fine.

Best Regards,
Abdalla.

-----Original Message-----
From: Gabriel Fedel <gabriel.fedel at ess.eu> 
Sent: Tuesday, February 25, 2020 11:50 AM
To: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>; tech-talk at aps.anl.gov
Subject: Re: firewalld configuration for EPICS?

Hi Abdalla,

Thank for the reference.
But I think even using this script the firewall will block the other IOCs to send data to the client, will not?

Best Regards

On 2/25/20 8:53 AM, Abdalla Ahmad wrote:
> Hi Gabriel
> 
> You are right. In the case of multiple IOCs, each IOC other than the first one to run will get a random port number. See this link by Ralph https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host where you create a Network manager dispatcher script where it broadcasts UDP traffic to all processes.
> 
> Best Regards,
> Abdalla.
> 
> -----Original Message-----
> From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Gabriel 
> Fedel via Tech-talk
> Sent: Monday, February 24, 2020 6:33 PM
> To: tech-talk at aps.anl.gov
> Subject: Re: firewalld configuration for EPICS?
> 
> Hi all,
> 
> I'm doing some tests with firewalld configuration, using yours examples, but I think they will not work if there are more than 1 IOC running on same machine, right?
> 
> Because the port for the other IOCs to transfer data will be other then the 5064/5065 for CA (and 5076/5077 for PVAccess).
> 
> Is my understanding correct?
> 
> Is there some alternative for these cases?
> 
> Best Regards
> On 2/24/20 1:27 PM, Jörn Dreyer via Tech-talk wrote:
>> Hi,
>>
>> I have the following content in an XML file under 
>> /etc/firewalld/services/EPICSChannelAccess.xml
>>
>> <?xml version="1.0" encoding="utf-8"?> <service>
>>    <short>EPICS Channel Access service</short>
>>    <port port="ca-1" protocol="tcp"/>
>>    <port port="ca-1" protocol="udp"/>
>>    <port port="ca-2" protocol="tcp"/>
>>    <port port="ca-2" protocol="udp"/>
>>    <source-port port="ca-1" protocol="tcp"/>
>>    <source-port port="ca-1" protocol="udp"/>
>>    <source-port port="ca-2" protocol="tcp"/>
>>    <source-port port="ca-2" protocol="udp"/> </service>
>>
>> But this requres a link o be set on my system from /usr/etc/services 
>> to /etc/services. Somehow firewalld under OpenSuSE Tumbleweed does 
>> not yet honor the new path to this file. But if you replace the 
>> symbolic port names to the corresponding numbers it also works.
>>
>> Regards,
>>
>> Jörn
>>
>> Am Montag, 24. Februar 2020, 14:09:57 CET schrieb Goetz Pfeiffer via
>> Tech-talk:
>>
>>   > On 4/3/19 11:51 AM, Dirk Zimoch via Tech-talk wrote:
>>
>>   > > Hi
>>
>>   > >
>>
>>   > > Does anyone already have a firewalld configuration to allow 
>> Channel
>>
>>   > > Access? I.e. something like a
>> /usr/lib/firewalld/services/epics.xml
>> file?
>>
>>   > >
>>
>>   > > Dirk
>>
>>   >
>>
>>   > Hello Dirk,
>>
>>   >
>>
>>   > I just struggled with firewalld in order to make EPICS clients 
>> and servers
>>
>>   > work and I found this solution for the command line:
>>
>>   >
>>
>>   > Settings for EPICS clients:
>>
>>   >
>>
>>   >   firewall-cmd --add-rich-rule="rule source-port port=5064 
>> protocol=tcp
>>
>>   > accept" firewall-cmd --add-rich-rule="rule source-port port=5064
>>
>>   > protocol=udp accept" firewall-cmd --add-rich-rule="rule 
>> source-port
>>
>>   > port=5065 protocol=tcp accept" firewall-cmd --add-rich-rule="rule
>>
>>   > source-port port=5065 protocol=udp accept"
>>
>>   >
>>
>>   > Additional settings for EPICS servers:
>>
>>   >
>>
>>   >   firewall-cmd --add-rich-rule="rule port port=5064 protocol=tcp accept"
>>
>>   >   firewall-cmd --add-rich-rule="rule port port=5064 protocol=udp accept"
>>
>>   >   firewall-cmd --add-rich-rule="rule port port=5065 protocol=tcp accept"
>>
>>   >   firewall-cmd --add-rich-rule="rule port port=5065 protocol=udp accept"
>>
>>   >
>>
>>   > Make changes permanent:
>>
>>   >
>>
>>   >   firewall-cmd --runtime-to-permanent
>>
>>   >
>>
>>   > Greetings
>>
>>   >
>>
>>   >   Goetz
>>
> 
> --
> Gabriel Fedel
> 

--
Gabriel Fedel

Ship 8, Floor 2.
EPICS Integrator
Integrated Control System Division
The European Spallation Souce
Odarslövsvägen 113
224 84 Lund

mobile Sweden: 0723356030
mobile International: +46723356030

References:

Re: firewalld configuration for EPICS? Goetz Pfeiffer via Tech-talk

Re: firewalld configuration for EPICS? Jörn Dreyer via Tech-talk

Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk

Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk

Navigate by Date:

Prev: Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk

Next: RE: Areadetector error in version R3-8 Sandeep Kumar Malu - UKRI STFC via Tech-talk

Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  <2020>  2021  2022  2023  2024 

Navigate by Thread:

Prev: Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk

Next: Re: firewalld configuration for EPICS? Ralph Lange via Tech-talk

Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  <2020>  2021  2022  2023  2024