Experimental Physics and
Industrial Control System

1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 <2024>	Index	1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 <2024>
<== Date ==>		<== Thread ==>

Subject:	RE: firewalld configuration for EPICS?
From:	Mark Rivers via Tech-talk <tech-talk at aps.anl.gov>
To:	EPICS Tech Talk <tech-talk at aps.anl.gov>
Date:	Mon, 3 Jun 2024 20:25:44 +0000

Folks,

We would like to start to enable the firewalls on our Linux machines that are running Linux IOCs and clients.

The only “official” documentation I can find is the most recent CA Reference Manual:

https://epics.anl.gov/base/R7-0/8-docs/CAref.html#firewall

And in “How to Configure Channel Access”:

https://epics-controls.org/resources-and-support/documents/howto-documents/configure-channel-access/#Firewalls

Both of these are very terse, and do not explicitly discuss the case of multiple IOCs on a Linux server.

The tech-talk thread I am responding to did not reach a clear conclusion and recommendation.

My configuration is as follows:

RHEL 9 servers running multiple IOCs
All clients are either on that server or other machines on the same subnet. Thus, CA searches can simply use broadcasts, and we don’t need to use the IP Tables mechanism.

Is it sufficient to follow these instructions?

https://epics-controls.org/resources-and-support/documents/howto-documents/configure-channel-access/#Firewalls

Or do the multiple IOCs require additional complexity?

Thanks,

Mark

From: Tech-talk <tech-talk-bounces at aps.anl.gov> On Behalf Of Ralph Lange via Tech-talk
Sent: Friday, February 28, 2020 4:26 AM
To: EPICS Tech Talk <tech-talk at aps.anl.gov>
Subject: Re: firewalld configuration for EPICS?

Small note:

On Mon, 24 Feb 2020 at 14:10, Goetz Pfeiffer via Tech-talk <tech-talk at aps.anl.gov> wrote:

Settings for EPICS clients:

firewall-cmd --add-rich-rule="rule source-port port=5064 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule source-port port=5064 protocol=udp accept"
firewall-cmd --add-rich-rule="rule source-port port=5065 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule source-port port=5065 protocol=udp accept"

Additional settings for EPICS servers:

firewall-cmd --add-rich-rule="rule port port=5064 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule port port=5064 protocol=udp accept"
firewall-cmd --add-rich-rule="rule port port=5065 protocol=tcp accept"
firewall-cmd --add-rich-rule="rule port port=5065 protocol=udp accept"

Channel Access does not use TCP on the beacon port (aka CA_REPEATER_PORT, ca-2, 5065). Opening it does no harm, but is not needed.

Reference: https://docs.epics-controls.org/en/latest/specs/ca_protocol.html

Cheers,
~Ralph

Replies:: RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk

Navigate by Date:: Prev: RE: asyn master, base 7.0.3 build error from devAsynXXXArray.cpp Mark Rivers via Tech-talk; Next: RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk; Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 <2024>
Navigate by Thread:: Prev: RE: asyn master, base 7.0.3 build error from devAsynXXXArray.cpp Mark Rivers via Tech-talk; Next: RE: firewalld configuration for EPICS? Mark Rivers via Tech-talk; Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 <2024>

ANJ, 03 Jun 2024

· Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System