6–9 Jul 2021
Online
GMT timezone
July 6th - 9th

Dynamic firewall manager prototype for EPICS Channel Access

8 Jul 2021, 17:10
15m
Online

Online

Tools Tools Tools

Speaker

ru igarashi (Canadian Light Source)

Description

Background: Setting up firewalls on EPICS IOC's are a troublesome
matter. When multiple IOC's run on a server, all but the first
one uses random port numbers to establish connections to clients,
whereas openings in firewalls tend to be defined by fixed
port numbers. Purpose: Dynamically manage firewalls as IOC
applications come and go. Method: A prototype service was
developed that detects new or lost instances of IOC applications
through Channel Access beacons and process ID's, and adds or
removes firewalls automatically, without prior knowledge of IOC
applications. There are perl and python versions (to accommodate
whichever is installed on IOC's), and works with iptables, nft,
and firewalld. Results: In multiple restarts and in a couple of
weeks of testing, firewall openings worked fine, but occasionally
some openings did not close, mostly due to timing of restarting
the service. Conclusion: The concept works on a small scale, but
it has not been tested on large servers or a production environment.

Talk duration 15 minutes + questions

Primary author

ru igarashi (Canadian Light Source)

Presentation materials