Experimental Physics and
Industrial Control System
| 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 | Index | 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 |
| <== Date ==> | <== Thread ==> |
|---|
| Subject: | RE: Firewall (iptables) issues? |
| From: | "Jeff Hill" <[email protected]> |
| To: | "'Eric Norum'" <[email protected]> |
| Cc: | [email protected] |
| Date: | Fri, 5 Nov 2010 16:50:36 -0600 |
|
>I
don't understand. The rules that I presented are for inbound packets. >If you want channel access _clients_ on a machine
to be able to see _replies_ to broadcast PV search requests >
The first rule > -A INPUT -s 192.168.0.0/22 -p
udp --sport 5064 -j ACCEPT >
takes care of incoming responses to PV search requests. The server typically does
not send udp response frames back to the client using
port 5064 as the destination
address because the client’s udp port is ephemeral
(dynamically assigned). The server instead sends it
responses to a destination address which is whatever source address it finds in the incoming
udp request frame. Thus enabling 5064 for
the client doesn’t hurt anything, but it probably doesn’t help, actually
emasculates the firewall,
and maybe it works now for you only because the stateful
firewall transparently allows replies from the
server that are being sent to the client’s ephemeral port. The stateful firewall can actually remember
the source address for the search requests and briefly allow replies sent to that same
destination. Jeff Message
content: TSPA With sufficient thrust, pigs fly just fine.
However, this is not necessarily a good idea. It is hard to be
sure where they are going to land, and it could be dangerous
sitting under them as they fly overhead. -- RFC 1925 From: Eric Norum [mailto:[email protected]] I
don't understand. The rules that I presented are for inbound packets.
I explicitly noted that they are sufficient only under the assumption
that outbound packets are not filtered. The
first rule -A INPUT -s 192.168.0.0/22 -p
udp --sport 5064 -j ACCEPT takes
care of incoming responses to PV search requests. The
second rule -A INPUT -s 192.168.0.0/22 -p
udp --dport 5065 -j ACCEPT takes
care of incoming beacons. As
far as I can tell, and as far as my empirical tests showed, these are sufficient
to allow clients to operate on a firewalled machine. Could
you clarify as to what you feel I've missed? On
Nov 5, 2010, at 3:14 PM, Jeff Hill wrote:
Hi
Eric, If
you want channel access clients on a machine to be able to see
-- |
- Replies:
- Re: Firewall (iptables) issues? Eric Norum
- References:
- Firewall (iptables) issues? Eric Norum
- Re: Firewall (iptables) issues? Ralph Lange
- Re: Firewall (iptables) issues? Eric Norum
- RE: Firewall (iptables) issues? Jeff Hill
- Re: Firewall (iptables) issues? Eric Norum
- Navigate by Date:
- Prev: Re: Firewall (iptables) issues? Eric Norum
- Next: Re: Firewall (iptables) issues? Eric Norum
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
- Navigate by Thread:
- Prev: Re: Firewall (iptables) issues? Eric Norum
- Next: Re: Firewall (iptables) issues? Eric Norum
- Index: 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 <2010> 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·