[HTCondor-users] Issues with firewall when USE_SHARED_PORT = True

[TarotApprentice <tarotapprentice@xxxxxxxxx>]

I have installed HT condor on a couple of nodes for testing. Machines are running Raspbian Stretch 9.4 and HTCondor version is 8.4.11 from the repo.

Config is one Central manager + submit node and one Execute-only node. I have USE_SHARED_PORT enabled on both nodes. I can do condor_q, condor_status commands fine. I need to enable a firewall. I used iptables on the central manager node and allowed port 9618 as input. As soon as I do this it is unable to complete the above commands which time out and give the following error
-- Failed to fetch ads from: <192.168.1.3:9618?addrs=192.168.1.3-9618&noUDP&sock=598_c1b9_4> : node0
SECMAN:2007:Failed to end classad message.

Chain INPUT (policy DROP)
ACCEPT     tcp  --  192.168.1.0/24       anywhere             tcp dpt:9618
ACCEPT     udp  --  192.168.1.0/24       anywhere             udp dpt:9618

netstat -tlp shows the following ports in use
tcp        0      0 0.0.0.0:36427           0.0.0.0:*               LISTEN      630/condor_schedd
tcp        0      0 0.0.0.0:55217           0.0.0.0:*               LISTEN      628/condor_collecto
tcp        0      0 0.0.0.0:44177           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:9618            0.0.0.0:*               LISTEN      627/condor_shared_p
tcp        0      0 0.0.0.0:4797            0.0.0.0:*               LISTEN      628/condor_collecto
tcp        0      0 0.0.0.0:24865           0.0.0.0:*               LISTEN      630/condor_schedd

I gather the daemons use randomly allocated ports. Do I need to use a fixed port for each one and allow it through as well? Do I need to use SHARED_PORT on both the central manager and the execute nodes or is only required on one of them?

MarkJ