From 033a1fe97b609a0dce06f54442d64f9651fc398c Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 8 Sep 2023 17:20:32 +0200
Subject: [PATCH] Block ssfhead from reaching our slurm daemon

---
 m/common/net.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/m/common/net.nix b/m/common/net.nix
index e542e5f..2057143 100644
--- a/m/common/net.nix
+++ b/m/common/net.nix
@@ -23,7 +23,14 @@
       allowedTCPPorts = [ 22 ];
 
       # FIXME: For slurmd as it requests the compute nodes to connect to us
-      allowedTCPPortRanges = [ { from=1024; to=65535; } ];
+      #allowedTCPPortRanges = [ { from=1024; to=65535; } ];
+
+      extraCommands = ''
+        # Prevent ssfhead from contacting our slurmd daemon
+        iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-log-refuse
+        # But accept traffic to slurm ports from any other node in the subnet
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept
+      '';
     };
 
     extraHosts = ''