EPICS Home

Experimental Physics and Industrial Control System


 
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>

Subject: Announcing nf_conntrack_epics
From: Michael Ritzert <[email protected]>
To: EPICS Tech Talk <[email protected]>
Date: Wed, 6 Dec 2017 14:15:45 +0100
Dear all,

this is to announce the availability of nf_conntrack_epics, a Linux kernel
module that implements firewall connection tracking for EPICS.

The CA reference¹ suggest to add a rule
 -A INPUT -s 192.168.0.0/22 -p udp --sport 5064 -j ACCEPT
which effectively means to completely open UDP to the host since the source
port can easily be chosen by an attacker.

To circumvent this, I have implemented a connection tracking module that
dynamically only opens the minimal number of ports required.

For EPICS CA clients, just loading this module is enough.

For EPICS CA servers, unconditionally opening port 5064, TCP and UDP, is
also required.

We are running this module in a production environment based on SL7 already.

The downside of this module is that unsolicited broadcast packets cannot be
seen without further configuration.

The code is available from
 https://github.com/sus-ziti-uni-hd/nf_conntrack_epics .

Best regards,
Michael

¹ http://www.aps.anl.gov/epics/base/R3-14/12-docs/CAref.html#firewall
-- 
Dr. Michael Ritzert                   Tel: +49 621 181 2883
Schaltungstechnik und Simulation      Fax: +49 621 181 2734
Technische Informatik, Uni Heidelberg [email protected]
68131 Mannheim, Germany               http://sus.ziti.uni-heidelberg.de

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Navigate by Date:
Prev: CSS WebOPI Vishnu Patel
Next: Re: EPICS 7 Release Candidate 1 Mark Rivers
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: Re: CSS WebOPI Kasemir, Kay
Next: Recommendations for EPICS Based Data Acquisition System Matt Rippa
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  <20172018  2019  2020  2021  2022  2023  2024