From 7050c505b5dcd0113a9d88db1fe75b5c5b70f473 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 8 Sep 2023 17:51:37 +0200
Subject: [PATCH] Allow only some ports for srun

---
 m/common/net.nix   | 2 ++
 m/common/slurm.nix | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/m/common/net.nix b/m/common/net.nix
index 2057143..57f15be 100644
--- a/m/common/net.nix
+++ b/m/common/net.nix
@@ -30,6 +30,8 @@
         iptables -A nixos-fw -p tcp -s ssfhead --dport 6817:6819 -j nixos-fw-log-refuse
         # But accept traffic to slurm ports from any other node in the subnet
         iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 6817:6819 -j nixos-fw-accept
+        # We also need to open the srun port range
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 60000:61000 -j nixos-fw-accept
       '';
     };
 
diff --git a/m/common/slurm.nix b/m/common/slurm.nix
index 988e1d8..5404d0c 100644
--- a/m/common/slurm.nix
+++ b/m/common/slurm.nix
@@ -80,6 +80,9 @@ in {
 
       # Turn the nodes off after 1 hour of inactivity
       SuspendTime=3600
+
+      # Reduce port range so we can allow only this range in the firewall
+      SrunPortRange=60000-61000
     '';
   };
 }