Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017 Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017
<== Date ==> <== Thread ==>

Subject: Announcing nf_conntrack_epics
From: Michael Ritzert <michael.ritzert@ziti.uni-heidelberg.de>
To: EPICS Tech Talk <tech-talk@aps.anl.gov>
Date: Wed, 6 Dec 2017 14:15:45 +0100
Dear all,

this is to announce the availability of nf_conntrack_epics, a Linux kernel
module that implements firewall connection tracking for EPICS.

The CA reference¹ suggest to add a rule
 -A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
which effectively means to completely open UDP to the host since the source
port can easily be chosen by an attacker.

To circumvent this, I have implemented a connection tracking module that
dynamically only opens the minimal number of ports required.

For EPICS CA clients, just loading this module is enough.

For EPICS CA servers, unconditionally opening port 5064, TCP and UDP, is
also required.

We are running this module in a production environment based on SL7 already.

The downside of this module is that unsolicited broadcast packets cannot be
seen without further configuration.

The code is available from
 https://github.com/sus-ziti-uni-hd/nf_conntrack_epics .

Best regards,
Michael

¹ http://www.aps.anl.gov/epics/base/R3-14/12-docs/CAref.html#firewall
-- 
Dr. Michael Ritzert                   Tel: +49 621 181 2883
Schaltungstechnik und Simulation      Fax: +49 621 181 2734
Technische Informatik, Uni Heidelberg michael.ritzert@ziti.uni-heidelberg.de
68131 Mannheim, Germany               http://sus.ziti.uni-heidelberg.de

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Navigate by Date:
Prev: CSS WebOPI Vishnu Patel
Next: Re: EPICS 7 Release Candidate 1 Mark Rivers
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017
Navigate by Thread:
Prev: Re: CSS WebOPI Kasemir, Kay
Next: Recommendations for EPICS Based Data Acquisition System Matt Rippa
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <2017
ANJ, 06 Dec 2017 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·