This post pertains to setting up Firewall rules with FactoryPMI, particularly when putting your projects on the Internet. These aren’t the simplest of networking topics, but I’m sure you’ll be able to tackle the concepts!
Let’s begin with how FactoryPMI communicate.
FactoryPMI Clients talk to FactoryPMI Gateways over a single TCP port, 8080 by default, but you can choose any. This means that you may need to open up an outgoing TCP port on your firewall between your client computers and FactoryPMI Gateway. It also means that you DON’T EVER NEED to open up other TCP ports or any UDP ports for communication between client and gateway.
FactoryPMI Gateways in a clustered configuration communicate with each other via UDP multicast.
Now let’s get a few things straight with TCP (Transmission Control Protocol) versus UDP (User Datagram Protocol). First, they’re Transport Layer protocols (OSI layer 4) that both run on top of IP (a Network Layer protocol, layer 3). This means that they are BOTH ROUTABLE (IP’s doing the routing just like it’s doing the addressing). Both TCP and UDP add the notion of ports to the picture to segment traffic. UDP adds checksums to the data.
TCP is a connection-oriented protocol, meaning that a communication channel will be established end to end before transmitting any data. It is heavyweight and guarantees that ordered data (Frames) will arrive if a connection exists.
UDP is a connectionless protocol that is lightweight and efficient. Data is transmitted in separate groups called Datagrams that are not guaranteed to arrive.
TCP and UDP are complementary in the TCP/IP protocol suite. They’re not better or worse than each other, they’re different.
What you should get out of this is that TCP connections are required between client and Gateway (often going through your routers). Block UDP there to prevent possible UDP flood attacks.
UDP communication is required between FactoryPMI Gateways (typically all behind your router, or better yet, in their own DMZ.