Firewall Ports to Open

MILS

If you see "No Route To Host" in the SystemOut.log or SystemErr.log in /watvid/mils/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/server1 directory, or you ware not seeing the SSE in the SSE drop down list when creating a channel or you see a "No Route to Host" error as the result of a cache refresh from the Cache Management tab, the issue might be because a firewall is active on the system running the MILS docker container.

The default firewall in RedHat 7 is firewalld and it is controlled by the firewall-cmd tool.

Firewall Configuration

Create and Enable a firewall services for Docker MILS and DLE

  1. Create a service called dockermils (or any name you prefer that is not already used)

firewall-cmd --permanent --new-service=dockermils

  1. Set a description for the dockermils service

firewall-cmd --permanent --service=dockermils --set-description="Docker MILS"

Check that the servce is added successfully

firewall-cmd --reload

firewall-cmd --get-services

You should see dockermils in the list of services

  1. Add the required ports to the dockermils service

firewall-cmd --permanent --service=dockermils --add-port=443/tcp

firewall-cmd --permanent --service=dockermils --add-port=80/tcp

firewall-cmd --permanent --service=dockermils --add-port=9080/tcp

firewall-cmd --permanent --service=dockermils --add-port=9443/tcp

firewall-cmd --permanent --service=dockermils --add-port=9060/tcp

firewall-cmd --permanent --service=dockermils --add-port=9043/tcp

firewall-cmd --permanent --service=dockermils --add-port=5432/tcp

firewall-cmd --permanent --service=dockermils --add-port=1414/tcp

firewall-cmd --permanent --service=dockermils --add-port=7777/tcp

  1. Check that your service now has the required ports

firewall-cmd --reload firewall-cmd --info-service=dockermils

You should see the list of ports added above

  1. Add the dockermils service to the public zone

firewall-cmd --permanent --zone=public --add-service=dockermils

Verify that the dockermils service and docker0 interface have been added to the public zone

firewall-cmd --reload

firewall-cmd --info-zone=public

You should now see something similar to:

public (active)

target: default

icmp-block-inversion: no

interfaces: ens192 docker0

sources:

services: dhcpv6-client ssh dockermils

DLE port

You can create and enable a service for the DLE using the same commands as above but replacing the ports for the MILS with the DLE default port of 14001.

firewall-cmd --permanent --new-service=DLE
firewall-cmd --permanent --service=DLE --set-description="Deep Learning Engine"
firewall-cmd --reload
firewall-cmd --permanent --service=DLE --add-port=14001-14002/tcp
firewall-cmd --permanent --zone=public --add-service=DLE
firewall-cmd --reload

SSE

If there are many error messages in the child_xxxxx file, such as, GetFramePtr, no frames in queue,it may be because the firewall on the system the SSE is running on has not been configured to allow the UDP ports that the SSE will use. It is possible that a few of these error messages will occur when the SSE is first initializing the connection to the camera, but if they continue for more than a dozen seconds, you should check the firewall configuration

The Linux SSE requires the following inbound UDP ports to be open between it and the RTSP source: 52000-52200 and 15947. The port 52000 is the default if the --rtsp-udp-start-port parameter to sseconfig.sh is not provided. If you provided a different start port, use that value when opening ports in your firewall.

If you are running the SSE on RHEL 7, the default firewall is called firewalld and is controlled using firewall-cmd. Create a new firewall service and add these ports to it. The following is an example of using firewall-cmd to open these ports

firewall-cmd --new-service=sse --permanent
firewall-cmd --add-port=52000-52200/udp --service=sse --permanent
firewall-cmd --add-port=15947/udp --service=sse --permanent
firewall-cmd --add-port=60000/tcp --service=sse --permanent
firewall-cmd --reload
firewall-cmd --add-service=sse --zone=public
firewall-cmd --reload

If the SSE is expected to receive multicast streams, the firewall will need to be configured to allow the multicast packets.

firewall-cmd --new-zone=multicast --permanent
firewall-cmd --zone=multicast --add-interface=<interface-device-name> --permanent
firewall-cmd --zone=multicast --add-protocol=igmp --permanent
firewall-cmd --zone=multicast --add-protocol=icmp --permanent
firewall-cmd --zone=multicast --add-source=224.0.0.0/4 --permanent
firewall-cmd --zone=multicast --add-source=<ip-subnet-of-interface> --permanent
firewall-cmd --zone=multicast --add-port=5000/udp --permanent
firewall-cmd --reload

Because the docker container for the SSE uses host networking instead of a separate container network, the value for <interface-device-name> should be the actual network device, not a docker device. For example: enp0s31f6. Likewise, the value for <ip-subnet-of-interface> should be the network specification for that device. For example: 10.0.0.0/24