| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 <2024> 2025 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 <2024> 2025 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | RE: firewalld configuration for EPICS? |
| From: | Abdalla Ahmad via Tech-talk <tech-talk at aps.anl.gov> |
| To: | Mark Rivers <rivers at cars.uchicago.edu> |
| Cc: | "tech-talk at aps.anl.gov" <Tech-talk at aps.anl.gov> |
| Date: | Tue, 4 Jun 2024 06:10:16 +0000 |
|
Hello Mark We have similar setup to yours, multiple IOCs on a server and clients on different machines, same and different subnets. For the same subnet we use the UDP broadcast
rule mentioned
here, you don’t need the whole script, just run the iptables rule in the “up” mode section on startup and you’re good to go. For clients on different subnets, I think you need to have an EPICS gateway, one for each subnet. Another option you can use, as
Freddie pointed out, is to have the IOCs listen on the loopback and one EPICS gateway running on port 5064. Please note that the previous is working when adding the NIC to the trusted zone in Rocky Linux 8, I tried working on configuring the firewall to work with our
setup, some IOCs work and others didn’t. But as I am writing this, I think if you add an EPICS gateway to each server listening on port 5064, you could have the firewall working while allowing ports 5064 and 5065 both TCP and UDP. Best Regards, Abdalla. From: Tech-talk <tech-talk-bounces at aps.anl.gov>
On Behalf Of Mark Rivers via Tech-talk Folks,
Ø
Is it sufficient to follow these instructions?
Ø
Or do the multiple IOCs require additional complexity? I have now empirically answered that question, and it is NOT sufficient to implement the firewall rules documented in the CA Reference Manual. When I do that, I can only connect to the first IOC I start. Is there a recipe for configuring the firewall when multiple IOCs are running on that Linux machine? I can access all IOCs from CA clients running on that same machine, but not from clients running on other
machines. Thanks, Mark From: Mark Rivers
Folks, We would like to start to enable the firewalls on our Linux machines that are running Linux IOCs and clients. The only “official” documentation I can find is the most recent CA Reference Manual: https://epics.anl.gov/base/R7-0/8-docs/CAref.html#firewall And in “How to Configure Channel Access”: Both of these are very terse, and do not explicitly discuss the case of multiple IOCs on a Linux server. The tech-talk thread I am responding to did not reach a clear conclusion and recommendation. My configuration is as follows:
-
RHEL 9 servers running multiple IOCs
-
All clients are either on that server or other machines on the same subnet. Thus, CA searches can simply use broadcasts, and we don’t need to use the IP Tables mechanism. Is it sufficient to follow these instructions? Or do the multiple IOCs require additional complexity? Thanks, Mark From: Tech-talk <tech-talk-bounces at aps.anl.gov>
On Behalf Of Ralph Lange via Tech-talk Small note: On Mon, 24 Feb 2020 at 14:10, Goetz Pfeiffer via Tech-talk <tech-talk at aps.anl.gov> wrote:
Channel Access does not use TCP on the beacon port (aka CA_REPEATER_PORT, ca-2, 5065). Opening it does no harm, but is not needed. Cheers, |