Experimental Physics and
Industrial Control System
| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | Re: Firewall (iptables) issues? |
| From: | Ralph Lange <[email protected]> |
| To: | EPICS Tech Talk <[email protected]> |
| Date: | Fri, 05 Nov 2010 12:36:34 -0400 |
To summarize:
If you want channel access clients on a machine to be able to see replies to broadcast PV search requests you need to permit inbound UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064). On systems using iptables this can be accomplished by a rule like -A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
If you want channel access servers (e.g. "soft IOCs") on a machine to be able to see clients you need to permit inbound TCP and UDP packets with source port EPICS_CA_SERVER_PORT (default is 5064). On systems using iptables this can be accomplished by rules like -A INPUT -s 192.168.0.0/22 -p udp --dport 5064 -j ACCEPT -A INPUT -s 192.168.0.0/22 -p tcp --dport 5064 -j ACCEPT
In all cases the "-s 192.168.0.0/22" specifies the range of addresses from which you wish to accept packets.
Don't forget:
If you run caRepeater on a machine, so that your client applications are able to see beacons from IOCs, and can detect connection loss and new IOCs coming online, you need to permit inbound UDP packets with source port EPICS_CA_REPEATER_PORT (default is 5065). On systems using iptables this can be accomplished by a rule like
-A INPUT -s 192.168.0.0/22 -p udp --sport 5065 -j ACCEPT
(Only necessary if your firewall does not allow all outgoing traffic by default:)
If you want channel access servers (e.g. "soft IOCs") on a machine to be able to send beacons, so that their clients can detect connection loss and your IOCs starting up, you need to permit outbound UDP packets with source port EPICS_CA_REPEATER_PORT (default is 5065). On systems using iptables this can be accomplished by a rule like
-A OUTPUT -p udp --dport 5065 -j ACCEPT
Cheers, Ralph
- References:
- Firewall (iptables) issues? Eric Norum
- Re: Firewall (iptables) issues? Darren S. Dale
- Re: Firewall (iptables) issues? Eric Norum
- Re: Firewall (iptables) issues? Andrew Johnson
- Re: Firewall (iptables) issues? Phillip Sorensen
- Re: Firewall (iptables) issues? Eric Norum
- Navigate by Date:
- Prev: Re: base 3-14-11 and breakpoint tables for ai and ao Andrew Johnson
- Next: Re: devEtherIP Kasemir, Kay
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
- Navigate by Thread:
- Prev: Re: Firewall (iptables) issues? Eric Norum
- Next: Re: Firewall (iptables) issues? Eric Norum
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·