Firewall Ports to Open
MILS
If you see "No Route To Host" in the SystemOut.log or SystemErr.log in /watvid/mils/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/server1 directory, or you ware not seeing the SSE in the SSE drop down list when creating a channel or you see a "No Route to Host" error as the result of a cache refresh from the Cache Management tab, the issue might be because a firewall is active on the system running the MILS docker container.
The default firewall in RedHat 7 is firewalld and it is controlled by the firewall-cmd
tool.
Firewall Configuration
Create and Enable a firewall services for Docker MILS and DLE
- Create a service called dockermils (or any name you prefer that is not already used)
firewall-cmd --permanent --new-service=dockermils
- Set a description for the dockermils service
firewall-cmd --permanent --service=dockermils --set-description="Docker MILS"
Check that the servce is added successfully
firewall-cmd --reload
firewall-cmd --get-services
You should see dockermils in the list of services
- Add the required ports to the dockermils service
firewall-cmd --permanent --service=dockermils --add-port=443/tcp
firewall-cmd --permanent --service=dockermils --add-port=80/tcp
firewall-cmd --permanent --service=dockermils --add-port=9080/tcp
firewall-cmd --permanent --service=dockermils --add-port=9443/tcp
firewall-cmd --permanent --service=dockermils --add-port=9060/tcp
firewall-cmd --permanent --service=dockermils --add-port=9043/tcp
firewall-cmd --permanent --service=dockermils --add-port=5432/tcp
firewall-cmd --permanent --service=dockermils --add-port=1414/tcp
firewall-cmd --permanent --service=dockermils --add-port=7777/tcp
- Check that your service now has the required ports
firewall-cmd --reload
firewall-cmd --info-service=dockermils
You should see the list of ports added above
- Add the dockermils service to the public zone
firewall-cmd --permanent --zone=public --add-service=dockermils
Verify that the dockermils service and docker0 interface have been added to the public zone
firewall-cmd --reload
firewall-cmd --info-zone=public
You should now see something similar to:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 docker0
sources:
services: dhcpv6-client ssh dockermils
DLE port
You can create and enable a service for the DLE using the same commands as above but replacing the ports for the MILS with the DLE default port of 14001.
firewall-cmd --permanent --new-service=DLE
firewall-cmd --permanent --service=DLE --set-description="Deep Learning Engine"
firewall-cmd --reload
firewall-cmd --permanent --service=DLE --add-port=14001-14002/tcp
firewall-cmd --permanent --zone=public --add-service=DLE
firewall-cmd --reload
SSE
If there are many error messages in the child_xxxxx file, such as, GetFramePtr, no frames in queue
,it may be because the firewall on the system the SSE is running on has not been configured to allow the UDP ports that the SSE will use.
It is possible that a few of these error messages will occur when the SSE is first initializing the connection to the camera, but if they continue for more than a dozen seconds, you should check the firewall configuration
The Linux SSE requires the following inbound UDP ports to be open between it and the RTSP source: 52000-52200 and 15947. The port 52000 is the default if the --rtsp-udp-start-port parameter to sseconfig.sh is not provided. If you provided a different start port, use that value when opening ports in your firewall.
If you are running the SSE on RHEL 7, the default firewall is called firewalld and is controlled using firewall-cmd
. Create a new firewall service and add these ports to it. The following is an example of using firewall-cmd
to open these ports
firewall-cmd --new-service=sse --permanent
firewall-cmd --add-port=52000-52200/udp --service=sse --permanent
firewall-cmd --add-port=15947/udp --service=sse --permanent
firewall-cmd --add-port=60000/tcp --service=sse --permanent
firewall-cmd --reload
firewall-cmd --add-service=sse --zone=public
firewall-cmd --reload
If the SSE is expected to receive multicast streams, the firewall will need to be configured to allow the multicast packets.
firewall-cmd --new-zone=multicast --permanent
firewall-cmd --zone=multicast --add-interface=<interface-device-name> --permanent
firewall-cmd --zone=multicast --add-protocol=igmp --permanent
firewall-cmd --zone=multicast --add-protocol=icmp --permanent
firewall-cmd --zone=multicast --add-source=224.0.0.0/4 --permanent
firewall-cmd --zone=multicast --add-source=<ip-subnet-of-interface> --permanent
firewall-cmd --zone=multicast --add-port=5000/udp --permanent
firewall-cmd --reload
Because the docker container for the SSE uses host networking instead of a separate container network, the value for <interface-device-name>
should be the actual network device, not a docker device. For example: enp0s31f6. Likewise,
the value for <ip-subnet-of-interface>
should be the network specification for that device. For example: 10.0.0.0/24