Add network policy, clarify account/penalty rules, and add admin contact

- Add docs/network.md with open port table and user responsibilities
- Clarify account validity is set during registration
- Add 1-month rolling window for CPU/memory offense counter (provisional)
- Note no per-user quota on /shared/hdd and /shared/ssd
- Add admin contact email and link Network section from README

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Junyi-99

README.md

@@ -15,6 +15,8 @@ The Xtra Computing Server provides computational resources (GPU, CPU, memory, an
 
 Users must apply via the provided registration form: https://forms.gle/Wf8qbNeuSPS2ia8u6
 
+Account validity is determined by the expiration date provided by the user during registration, subject to confirmation by the administrator.
+
 ### Account Management
 
 | Event              | Action                 | Notes                                                    |
@@ -50,7 +52,7 @@ For hosting large datasets, please contact the administrator. Dataset hosting wi
 
 ### **Data Integrity**
 
-Data integrity is **not** guaranteed. Users must perform regular backups. Weekly backups are recommended, with more frequent backups suggested for critical data. For critical data requiring higher reliability, use the `/shared/hdd` or `/shared/ssd` directory protected by RAIDZ2 (resilient to two drive failures).
+Data integrity is **not** guaranteed. Users must perform regular backups. Weekly backups are recommended, with more frequent backups suggested for critical data. For critical data requiring higher reliability, use the `/shared/hdd` or `/shared/ssd` directory protected by RAIDZ2 (resilient to two drive failures). There is currently no per-user quota on these shared directories; please use them responsibly.
 
 > [!IMPORTANT]
 > Backup responsibility belongs to the user. Always maintain restorable checkpoints for critical work.
@@ -142,6 +144,16 @@ Excessive usage is determined based on its impact on system stability
 | 4th           | Account frozen for 2 weeks            |
 | 5th           | Permanent ban from all infrastructures|
 
+The offense counter starts from the date of the first violation and is monitored over a rolling 1-month window. Offenses outside this window are not counted. *(Provisional rule, subject to revision.)*
+
+---
+
+## Network
+
+Users may run services on designated open ports. Port availability is governed by NUS School of Computing firewall policies and may change without notice.
+
+For full details, see: [Network Policy](docs/network.md).
+
 ---
 
 ### General Disclaimer
@@ -153,4 +165,10 @@ Xtra Computing Server administrators and affiliates are not responsible for data
 
 For detailed administrator boundaries, see: [Admin Liability](docs/admin-liability.md).
 
-Last update: March 3, 2026
+---
+
+## Contact
+
+For all administrative requests, policy questions, or exception applications, contact the administrator at: **hhh@u.nus.edu**
+
+Last update: April 5, 2026

docs/network.md

@@ -0,0 +1,41 @@
+# Network Policy
+
+This page describes the network and firewall configuration on the Xtra Computing Server.
+
+> [!WARNING]
+> Port availability is subject to NUS School of Computing firewall policies, which may change without prior notice. Always refer to the official NUS firewall documentation for the latest rules: https://dochub.comp.nus.edu.sg/cf/tech/network/firewall
+
+## Open Ports
+
+### System-Reserved Ports
+
+These ports are used by server infrastructure and are **not available** for user services.
+
+| Port | Protocol | Purpose |
+|------|----------|---------|
+| 22 | TCP | SSH access (rate limited) |
+| 111 | TCP/UDP | autofs |
+| 2049 | TCP/UDP | NFS |
+| 2379 | TCP | etcd client (usage reporting) |
+| 2380 | TCP | etcd peer (usage reporting) |
+| 4000 | TCP | Cgroup Exporter (RAM monitoring) |
+| 4001 | TCP | Node Exporter (CPU and general monitoring) |
+| 4003 | TCP | NVIDIA GPU Exporter (GPU monitoring) |
+
+### User-Available Ports
+
+Users may run services on ports within the following ranges:
+
+| Port Range | Protocol | Notes |
+|------------|----------|-------|
+| 4000-4100 | TCP/UDP | SoC allowed range. Avoid system-reserved ports listed above. |
+| 10000-30000 | TCP/UDP | General-purpose range for user services. |
+
+Ports outside these ranges are blocked by default.
+
+## User Responsibilities
+
+- Only bind ports within the user-available ranges listed above.
+- Do not interfere with system-reserved ports or services.
+- Terminate services and release ports when no longer needed.
+- If you need a port outside the allowed ranges, contact the administrator. Approval depends on NUS firewall policy.