2. How to configure a firewall for SSH and for EPICS#

2.1. Firewall configuration for SSH#

On the host and target(s) computers, make sure that port 22 (default SSH port) is open:

E.g. with firewalld (for Ferdora, CentOS, Rocky Linux, Alma Linux, etc):

$ sudo firewall-cmd --add-port=22/tcp --permanent
$ sudo firewall-cmd --reload

E.g. with ufw (for Ubuntu, Manjaro, openSUSE, Gentoo, etc):
```
$ sudo ufw allow 22/tcp
```
Or with iptables (for any distro if firewalld and ufw are not available):
```
$ sudo iptables -A INPUT -p tcp –-dport 22 -j ACCEPT
```
then restart the iptables services, e.g. on systemd based distro:
```
$ sudo systemctl restart iptables
```

2.2. Standard firewall configuration for EPICS#

2.2.1. Standard firewall configuration for Channel Access (CA)#

On the host only, make sure port 5064 and port 5065 (default CA ports) are open:

E.g. with firewalld:

$ sudo firewall-cmd --add-port=5064/tcp --permanent
$ sudo firewall-cmd --add-port=5064/udp --permanent
$ sudo firewall-cmd --add-port=5065/udp --permanent
$ sudo firewall-cmd --add-port=5065/tcp --permanent
$ sudo firewall-cmd --reload

E.g. with ufw:

$ sudo ufw allow 5064/tcp
$ sudo ufw allow 5064/udp
$ sudo ufw allow 5065/tcp
$ sudo ufw allow 5065/udp

Or with iptables:

$ sudo iptables -A INPUT -p tcp --dport 5064 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --sport 5064 -j ACCEPT

$ sudo iptables -A INPUT -p udp --dport 5064 -j ACCEPT
$ sudo iptables -A INPUT -p udp --sport 5064 -j ACCEPT

$ sudo iptables -A INPUT -p tcp --dport 5065 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --sport 5065 -j ACCEPT

$ sudo iptables -A INPUT -p udp --dport 5065 -j ACCEPT
$ sudo iptables -A INPUT -p udp --sport 5065 -j ACCEPT

then restart the iptables services, e.g. on systemd based distro:

$ sudo systemctl restart iptables

Important

On the host, if you intend to run more than one IOC program,
then you have to read the TCP ports limitation explanations!
This is important because in this case, you will have to open more ports
(usually an additional TCP port and UDP port per IOC program)
and this will have an impact on the IOCs clients configuration.
To open additional ports: just repeat the previous step with the desired ports numbers.

2.2.2. Standard firewall configuration for PV Access (PVA)#

On the host only, make sure port 5075 and port 5076 (default PVA ports) are open:

E.g. with firewalld:

$ sudo firewall-cmd --add-port=5075/tcp --permanent
$ sudo firewall-cmd --add-port=5076/udp --permanent
$ sudo firewall-cmd --reload

E.g. with ufw:

$ sudo ufw allow 5075/tcp
$ sudo ufw allow 5076/udp

Or with iptables:

$ sudo iptables -A INPUT -p tcp --dport 5075 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --sport 5075 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 5076 -j ACCEPT
$ sudo iptables -A INPUT -p udp --sport 5076 -j ACCEPT

then restart the iptables services, e.g. on systemd based distro:

$ sudo systemctl restart iptables

2.3. Very OPTIONAL paranoid firewall configuration for EPICS#

2.3.1. Paranoid firewall configuration for Channel Access (CA)#

If you want to make sure that absolutely no CA messages can get out of your host computer, then apply the following configurations.

Warning

If doing this, then you won’t be able to access host PVs from another computer (i.e. no monitoring, no archiving, no alarms etc.).

On the host only, make sure port 5064 and port 5065 (default CA ports) are open only for localhost…

E.g. with firewalld:

# firewall-cmd --permanent --new-service=local-ca
# firewall-cmd --permanent --service=local-ca --set-description="EPICS Channel Access for localhost only"
# firewall-cmd --permanent --service=local-ca --set-short="EPICS CA for localhost only"
# firewall-cmd --permanent --service=local-ca --add-protocol=tcp
# firewall-cmd --permanent --service=local-ca --add-protocol=udp
# firewall-cmd --permanent --service=local-ca --add-port=5064/tcp
# firewall-cmd --permanent --service=local-ca --add-port=5065/udp
# firewall-cmd --permanent --service=local-ca --add-source-port=5064/tcp
# firewall-cmd --permanent --service=local-ca --add-source-port=5065/udp
# firewall-cmd --permanent --service=local-ca --set-destination=ipv4:127.0.0.1
# firewall-cmd --reload

# firewall-cmd --info-service=local-ca
    > local-ca
    >   ports: 5065/udp 5064/tcp
    >   protocols: tcp udp
    >   source-ports: 5064/tcp 5065/udp
    >   modules:
    >   destination: ipv4:127.0.0.1

# firewall-cmd --permanent --new-zone=local-epics
# firewall-cmd --permanent --zone=local-epics --add-source=127.0.0.1
# firewall-cmd --reload

# firewall-cmd --get-zones

# firewall-cmd --permanent --zone=local-epics --add-service=local-ca
# firewall-cmd --reload

# firewall-cmd --zone=local-epics --list-services
    > local-ca
# firewall-cmd --zone=local-epics --query-service=local-ca
    > yes

E.g. with ufw:

# ufw allow tcp from localhost to localhost port 5064
# ufw allow udp from localhost to localhost port 5065

Or with iptables: TODO

On the host, if you intend to run more than one IOC program, then you have to read the TCP ports limitation explanations! This is important because in this case, you will have to open more ports (usually an additional TCP port and UDP port per IOC program) and this will have an impact on the IOCs clients configuration. To open additional ports: just repeat the previous step with the desired ports numbers.

2.3.2. Paranoid firewall configuration for PV Access (PVA)#

If you want to make sure that absolutely no PVA messages can get out of your host computer, then apply the following configurations.

Warning

If doing this, then you won’t be able to access host PVs from another computer (i.e. no monitoring, no archiving, no alarms etc.).

On the host only, make sure port 5075 and port 5076 (default PVA ports) are open only for localhost…

E.g. with firewalld:

# firewall-cmd --permanent --new-service=local-pva
# firewall-cmd --permanent --service=local-pva --set-description="EPICS PV Access for localhost only"
# firewall-cmd --permanent --service=local-cva --set-short="EPICS PVA for localhost only"
# firewall-cmd --permanent --service=local-cva --add-protocol=tcp
# firewall-cmd --permanent --service=local-cva --add-protocol=udp
# firewall-cmd --permanent --service=local-cva --add-port=5075/tcp
# firewall-cmd --permanent --service=local-cva --add-port=5076/udp
# firewall-cmd --permanent --service=local-cva --add-source-port=5075/tcp
# firewall-cmd --permanent --service=local-cva --add-source-port=5076/udp
# firewall-cmd --permanent --service=local-cva --set-destination=ipv4:127.0.0.1
# firewall-cmd --reload

# firewall-cmd --info-service=local-pva
    > local-pva
    >   ports: 5076/udp 5075/tcp
    >   protocols: tcp udp
    >   source-ports: 5075/tcp 5076/udp
    >   modules:
    >   destination: ipv4:127.0.0.1

# firewall-cmd --permanent --new-zone=local-epics
# firewall-cmd --permanent --zone=local-epics --add-source=127.0.0.1
# firewall-cmd --reload

# firewall-cmd --get-zones

# firewall-cmd --permanent --zone=local-epics --add-service=local-pva
# firewall-cmd --reload

# firewall-cmd --zone=local-epics --list-services
    > local-pva
# firewall-cmd --zone=local-epics --query-service=local-pva
    > yes

E.g. with ufw:

# ufw allow tcp from localhost to localhost port 5075
# ufw allow udp from localhost to localhost port 5076

Or with iptables: TODO

How to configure a firewall for SSH and for EPICS

Contents

2. How to configure a firewall for SSH and for EPICS#

2.1. Firewall configuration for SSH#

2.2. Standard firewall configuration for EPICS#

2.2.1. Standard firewall configuration for Channel Access (CA)#

2.2.2. Standard firewall configuration for PV Access (PVA)#

2.3. Very OPTIONAL paranoid firewall configuration for EPICS#

2.3.1. Paranoid firewall configuration for Channel Access (CA)#

2.3.2. Paranoid firewall configuration for PV Access (PVA)#

2.4. Sources#