Block ssfhead from reaching our slurm daemon

2023-09-08 17:20:32 +02:00 · 2023-09-08 17:20:32 +02:00 · 033a1fe97b
commit 033a1fe97b
parent 77cb3c494e
1 changed files with 8 additions and 1 deletions
--- a/m/common/net.nix
+++ b/m/common/net.nix
@ -23,7 +23,14 @@
      allowedTCPPorts = [ 22 ];

      # FIXME: For slurmd as it requests the compute nodes to connect to us
-      allowedTCPPortRanges = [ { from=1024; to=65535; } ];
+      #allowedTCPPortRanges = [ { from=1024; to=65535; } ];
+
+      extraCommands = ''
+        # Prevent ssfhead from contacting our slurmd daemon
+        iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-log-refuse
+        # But accept traffic to slurm ports from any other node in the subnet
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept
+      '';
    };

    extraHosts = ''