Block ssfhead from reaching our slurm daemon

This commit is contained in:
Rodrigo Arias 2023-09-08 17:20:32 +02:00
parent 9c9c41fb57
commit a758eef354

View File

@ -23,7 +23,14 @@
allowedTCPPorts = [ 22 ]; allowedTCPPorts = [ 22 ];
# FIXME: For slurmd as it requests the compute nodes to connect to us # FIXME: For slurmd as it requests the compute nodes to connect to us
allowedTCPPortRanges = [ { from=1024; to=65535; } ]; #allowedTCPPortRanges = [ { from=1024; to=65535; } ];
extraCommands = ''
# Prevent ssfhead from contacting our slurmd daemon
iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-log-refuse
# But accept traffic to slurm ports from any other node in the subnet
iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept
'';
}; };
extraHosts = '' extraHosts = ''