EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  <20102011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  <20102011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>
Subject: Re: Firewall (iptables) issues?
From: Eric Norum <[email protected]>
To: "Jeff Hill" <[email protected]>
Cc: [email protected]
Date: Fri, 5 Nov 2010 15:53:49 -0700

On Nov 5, 2010, at 3:50 PM, Jeff Hill wrote:

>I don't understand.  The rules that I presented are for inbound packets.
>If you want channel access _clients_ on a machine to be able to see _replies_ to broadcast PV search requests
 
> The first rule
>          -A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
> takes care of incoming responses to PV search requests.
 
The server typically does not send udp response frames back to the client using port 5064
as the destination address because the client’s udp port is ephemeral (dynamically assigned).
The server instead sends it responses to a destination address which is whatever source
address it finds in the incoming udp request frame.

Right.
I think that you're missing the fact that this rule opens the firewall for packets with *source* port 5064, not with *destination* port 5064.

 
Thus enabling 5064 for the client doesn’t hurt anything, but it probably doesn’t help, actually
emasculates the firewall, and maybe it works now for you only because the stateful firewall transparently
allows replies from the server that are being sent to the client’s ephemeral port. The stateful
firewall can actually remember the source address for the search requests and briefly allow
replies sent to that same destination.
 

-- 
Eric Norum
[email protected]

References:
Firewall (iptables) issues? Eric Norum
Re: Firewall (iptables) issues? Ralph Lange
Re: Firewall (iptables) issues? Eric Norum
RE: Firewall (iptables) issues? Jeff Hill
Re: Firewall (iptables) issues? Eric Norum
RE: Firewall (iptables) issues? Jeff Hill
Navigate by Date:
Prev: RE: Firewall (iptables) issues? Jeff Hill
Next: Re: Firewall (iptables) issues? Eric Norum
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  <20102011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: RE: Firewall (iptables) issues? Jeff Hill
Next: Re: Firewall (iptables) issues? Till Straumann
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  <20102011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 05 Nov 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·