Experimental Physics and
Industrial Control System

Hello Abdalla,

I remember we had this kind of problem on RHEL8 IOC servers. To fix it, we disable the firewall and iptables, then use this command (change enp11s0f1 to your actual NIC):
firewall-cmd --zone=trusted --change-interface=enp11s0f1 --permanent

Hope this helps.
Cheers,
Yong

Hi

 

I recently investigated Rocky Linux to deploy EPICS IOCs, I mainly focused on configuring the firewall (both firewall-cmd and iptables). I have tested the following cases:

• Testing one IOC on the same host: I created an IOC and ran caget on the same host as the IOC, it did not find the PV. So I thought of enabling EPICS ports using firewall-cmd and it worked.
• Testing multiple IOCs on the same host: It worked using the previous configuration.
• Testing multiple IOCs from another host on the same VLAN: It did not work until I enabled both tcp and udp protocols (using –add-protocol option) along with –complete-reload.
• Testing multiple IOCs from another host on a different VLAN: This is a very confusing one. I enabled EPICS ports, tcp and udp, now I can do caget and cainfo on PVs from the last running IOCs. When I added the UDP broadcast rule in iptables while firewalld is running, for some reason cainfo could not find the PVs but caget was working (I ran these commands from a windows 10 host). When I disabled firewalld and used iptables only, I can see the PVs on the same host, same VLAN and different VLAN.

 

Eventually, this is the configuration I used:

/usr/bin/firewall-cmd --permanent --add-port=5064/tcp

/usr/bin/firewall-cmd --permanent --add-port=5064/udp

/usr/bin/firewall-cmd --permanent --add-port=5065/tcp

/usr/bin/firewall-cmd --permanent --add-port=5065/udp

/usr/bin/firewall-cmd --permanent --add-protocol=tcp

/usr/bin/firewall-cmd --permanent --add-protocol=udp

/usr/bin/firewall-cmd –reload

 

I wonder what is the difference between RHEL 7 and 8 firewall configurations? On CentOS 7, we have firewalld running but with no configuration and we flush iptables (except for the UDP broadcast rule above). What is the best scenario here or which is better firewalld or iptables in this case? I think for some reason, firewalld does not allow UDP broadcast and I could not figure out how to do it in firewall-cmd. Any feedback is really appreciated.

 

Best Regards,

Abdalla.