Hi Gabriel
I think that depends on how you configure firewall.d, for example we flush iptables on startup. We are using this script on each server with more than one IOC and the clients, archiver and the gateway are working fine.
Best Regards,
Abdalla.
-----Original Message-----
From: Gabriel Fedel <gabriel.fedel at ess.eu>
Sent: Tuesday, February 25, 2020 11:50 AM
To: Abdalla Ahmad <Abdalla.Ahmad at sesame.org.jo>; tech-talk at aps.anl.gov
Subject: Re: firewalld configuration for EPICS?
Hi Abdalla,
Thank for the reference.
But I think even using this script the firewall will block the other IOCs to send data to the client, will not?
Best Regards
On 2/25/20 8:53 AM, Abdalla Ahmad wrote:
> Hi Gabriel
>
> You are right. In the case of multiple IOCs, each IOC other than the first one to run will get a random port number. See this link by Ralph https://wiki-ext.aps.anl.gov/epics/index.php/How_to_Make_Channel_Access_Reach_Multiple_Soft_IOCs_on_a_Linux_Host where you create a Network manager dispatcher script where it broadcasts UDP traffic to all processes.
>
> Best Regards,
> Abdalla.
>
> -----Original Message-----
> From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Gabriel
> Fedel via Tech-talk
> Sent: Monday, February 24, 2020 6:33 PM
> To: tech-talk at aps.anl.gov
> Subject: Re: firewalld configuration for EPICS?
>
> Hi all,
>
> I'm doing some tests with firewalld configuration, using yours examples, but I think they will not work if there are more than 1 IOC running on same machine, right?
>
> Because the port for the other IOCs to transfer data will be other then the 5064/5065 for CA (and 5076/5077 for PVAccess).
>
> Is my understanding correct?
>
> Is there some alternative for these cases?
>
> Best Regards
> On 2/24/20 1:27 PM, Jörn Dreyer via Tech-talk wrote:
>> Hi,
>>
>> I have the following content in an XML file under
>> /etc/firewalld/services/EPICSChannelAccess.xml
>>
>> <?xml version="1.0" encoding="utf-8"?> <service>
>> <short>EPICS Channel Access service</short>
>> <port port="ca-1" protocol="tcp"/>
>> <port port="ca-1" protocol="udp"/>
>> <port port="ca-2" protocol="tcp"/>
>> <port port="ca-2" protocol="udp"/>
>> <source-port port="ca-1" protocol="tcp"/>
>> <source-port port="ca-1" protocol="udp"/>
>> <source-port port="ca-2" protocol="tcp"/>
>> <source-port port="ca-2" protocol="udp"/> </service>
>>
>> But this requres a link o be set on my system from /usr/etc/services
>> to /etc/services. Somehow firewalld under OpenSuSE Tumbleweed does
>> not yet honor the new path to this file. But if you replace the
>> symbolic port names to the corresponding numbers it also works.
>>
>> Regards,
>>
>> Jörn
>>
>> Am Montag, 24. Februar 2020, 14:09:57 CET schrieb Goetz Pfeiffer via
>> Tech-talk:
>>
>> > On 4/3/19 11:51 AM, Dirk Zimoch via Tech-talk wrote:
>>
>> > > Hi
>>
>> > >
>>
>> > > Does anyone already have a firewalld configuration to allow
>> Channel
>>
>> > > Access? I.e. something like a
>> /usr/lib/firewalld/services/epics.xml
>> file?
>>
>> > >
>>
>> > > Dirk
>>
>> >
>>
>> > Hello Dirk,
>>
>> >
>>
>> > I just struggled with firewalld in order to make EPICS clients
>> and servers
>>
>> > work and I found this solution for the command line:
>>
>> >
>>
>> > Settings for EPICS clients:
>>
>> >
>>
>> > firewall-cmd --add-rich-rule="rule source-port port=5064
>> protocol=tcp
>>
>> > accept" firewall-cmd --add-rich-rule="rule source-port port=5064
>>
>> > protocol=udp accept" firewall-cmd --add-rich-rule="rule
>> source-port
>>
>> > port=5065 protocol=tcp accept" firewall-cmd --add-rich-rule="rule
>>
>> > source-port port=5065 protocol=udp accept"
>>
>> >
>>
>> > Additional settings for EPICS servers:
>>
>> >
>>
>> > firewall-cmd --add-rich-rule="rule port port=5064 protocol=tcp accept"
>>
>> > firewall-cmd --add-rich-rule="rule port port=5064 protocol=udp accept"
>>
>> > firewall-cmd --add-rich-rule="rule port port=5065 protocol=tcp accept"
>>
>> > firewall-cmd --add-rich-rule="rule port port=5065 protocol=udp accept"
>>
>> >
>>
>> > Make changes permanent:
>>
>> >
>>
>> > firewall-cmd --runtime-to-permanent
>>
>> >
>>
>> > Greetings
>>
>> >
>>
>> > Goetz
>>
>
> --
> Gabriel Fedel
>
--
Gabriel Fedel
Ship 8, Floor 2.
EPICS Integrator
Integrated Control System Division
The European Spallation Souce
Odarslövsvägen 113
224 84 Lund
mobile Sweden: 0723356030
mobile International: +46723356030
- References:
- Re: firewalld configuration for EPICS? Goetz Pfeiffer via Tech-talk
- Re: firewalld configuration for EPICS? Jörn Dreyer via Tech-talk
- Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk
- Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk
- Navigate by Date:
- Prev:
Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk
- Next:
RE: Areadetector error in version R3-8 Sandeep Kumar Malu - UKRI STFC via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
<2020>
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: firewalld configuration for EPICS? Gabriel Fedel via Tech-talk
- Next:
Re: firewalld configuration for EPICS? Ralph Lange via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
<2020>
2021
2022
2023
2024
|