Settings for EPICS clients:
firewall-cmd --add-rich-rule="rule source-port port=5064 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule source-port port=5064 protocol=udp accept"
firewall-cmd --add-rich-rule="rule source-port port=5065 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule source-port port=5065 protocol=udp accept"
Additional settings for EPICS servers:
firewall-cmd --add-rich-rule="rule port port=5064 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule port port=5064 protocol=udp accept"
firewall-cmd --add-rich-rule="rule port port=5065 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule port port=5065 protocol=udp accept"
Channel Access does not use TCP on the beacon port (aka CA_REPEATER_PORT, ca-2, 5065). Opening it does no harm, but is not needed.
Cheers,
~Ralph