diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja
index cf70f5838..b1d884cd1 100644
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -2,48 +2,15 @@
 {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
 {% from 'firewall/map.jinja' import hostgroups with context -%}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
-
-# Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :DOCKER - [0:0]
-:OUTPUT_direct - [0:0]
-:POSTROUTING_ZONES - [0:0]
-:POSTROUTING_ZONES_SOURCE - [0:0]
-:POSTROUTING_direct - [0:0]
-:POST_docker - [0:0]
-:POST_docker_allow - [0:0]
-:POST_docker_deny - [0:0]
-:POST_docker_log - [0:0]
-:POST_public - [0:0]
-:POST_public_allow - [0:0]
-:POST_public_deny - [0:0]
-:POST_public_log - [0:0]
-:PREROUTING_ZONES - [0:0]
-:PREROUTING_ZONES_SOURCE - [0:0]
-:PREROUTING_direct - [0:0]
-:PRE_docker - [0:0]
-:PRE_docker_allow - [0:0]
-:PRE_docker_deny - [0:0]
-:PRE_docker_log - [0:0]
-:PRE_public - [0:0]
-:PRE_public_allow - [0:0]
-:PRE_public_deny - [0:0]
-:PRE_public_log - [0:0]
--A PREROUTING -j PREROUTING_direct
--A PREROUTING -j PREROUTING_ZONES_SOURCE
--A PREROUTING -j PREROUTING_ZONES
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
--A OUTPUT -j OUTPUT_direct
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
--A POSTROUTING -j POSTROUTING_direct
--A POSTROUTING -j POSTROUTING_ZONES_SOURCE
--A POSTROUTING -j POSTROUTING_ZONES
-
 {%- for container in NODE_CONTAINERS %}
 {%-   if DOCKER.containers[container].ports is defined %}
 {%-     for port, proto in DOCKER.containers[container].ports.items() %}
@@ -60,119 +27,7 @@
 {%-   endif %}
 {%- endfor %}
 
--A POSTROUTING_ZONES -o sosbridge -g POST_docker
--A POSTROUTING_ZONES -o bond0 -g POST_public
--A POSTROUTING_ZONES -o eth1 -g POST_public
--A POSTROUTING_ZONES -o eth0 -g POST_public
--A POSTROUTING_ZONES -g POST_public
--A POST_docker -j POST_docker_log
--A POST_docker -j POST_docker_deny
--A POST_docker -j POST_docker_allow
--A POST_public -j POST_public_log
--A POST_public -j POST_public_deny
--A POST_public -j POST_public_allow
--A PREROUTING_ZONES -i sosbridge -g PRE_docker
--A PREROUTING_ZONES -i bond0 -g PRE_public
--A PREROUTING_ZONES -i eth1 -g PRE_public
--A PREROUTING_ZONES -i eth0 -g PRE_public
--A PREROUTING_ZONES -g PRE_public
--A PRE_docker -j PRE_docker_log
--A PRE_docker -j PRE_docker_deny
--A PRE_docker -j PRE_docker_allow
--A PRE_public -j PRE_public_log
--A PRE_public -j PRE_public_deny
--A PRE_public -j PRE_public_allow
 COMMIT
-# Completed on Wed Jan  4 15:23:09 2023
-# Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-:FORWARD_direct - [0:0]
-:INPUT_direct - [0:0]
-:OUTPUT_direct - [0:0]
-:POSTROUTING_direct - [0:0]
-:PREROUTING_ZONES - [0:0]
-:PREROUTING_ZONES_SOURCE - [0:0]
-:PREROUTING_direct - [0:0]
-:PRE_docker - [0:0]
-:PRE_docker_allow - [0:0]
-:PRE_docker_deny - [0:0]
-:PRE_docker_log - [0:0]
-:PRE_public - [0:0]
-:PRE_public_allow - [0:0]
-:PRE_public_deny - [0:0]
-:PRE_public_log - [0:0]
--A PREROUTING -j PREROUTING_direct
--A PREROUTING -j PREROUTING_ZONES_SOURCE
--A PREROUTING -j PREROUTING_ZONES
--A INPUT -j INPUT_direct
--A FORWARD -j FORWARD_direct
--A OUTPUT -j OUTPUT_direct
--A POSTROUTING -j POSTROUTING_direct
--A PREROUTING_ZONES -i sosbridge -g PRE_docker
--A PREROUTING_ZONES -i bond0 -g PRE_public
--A PREROUTING_ZONES -i eth1 -g PRE_public
--A PREROUTING_ZONES -i eth0 -g PRE_public
--A PREROUTING_ZONES -g PRE_public
--A PRE_docker -j PRE_docker_log
--A PRE_docker -j PRE_docker_deny
--A PRE_docker -j PRE_docker_allow
--A PRE_public -j PRE_public_log
--A PRE_public -j PRE_public_deny
--A PRE_public -j PRE_public_allow
-COMMIT
-# Completed on Wed Jan  4 15:23:09 2023
-# Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
-*security
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:FORWARD_direct - [0:0]
-:INPUT_direct - [0:0]
-:OUTPUT_direct - [0:0]
--A INPUT -j INPUT_direct
--A FORWARD -j FORWARD_direct
--A OUTPUT -j OUTPUT_direct
-COMMIT
-# Completed on Wed Jan  4 15:23:09 2023
-# Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
-*raw
-:PREROUTING ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:OUTPUT_direct - [0:0]
-:PREROUTING_ZONES - [0:0]
-:PREROUTING_ZONES_SOURCE - [0:0]
-:PREROUTING_direct - [0:0]
-:PRE_docker - [0:0]
-:PRE_docker_allow - [0:0]
-:PRE_docker_deny - [0:0]
-:PRE_docker_log - [0:0]
-:PRE_public - [0:0]
-:PRE_public_allow - [0:0]
-:PRE_public_deny - [0:0]
-:PRE_public_log - [0:0]
--A PREROUTING -j PREROUTING_direct
--A PREROUTING -j PREROUTING_ZONES_SOURCE
--A PREROUTING -j PREROUTING_ZONES
--A OUTPUT -j OUTPUT_direct
--A PREROUTING_ZONES -i sosbridge -g PRE_docker
--A PREROUTING_ZONES -i bond0 -g PRE_public
--A PREROUTING_ZONES -i eth1 -g PRE_public
--A PREROUTING_ZONES -i eth0 -g PRE_public
--A PREROUTING_ZONES -g PRE_public
--A PRE_docker -j PRE_docker_log
--A PRE_docker -j PRE_docker_deny
--A PRE_docker -j PRE_docker_allow
--A PRE_public -j PRE_public_log
--A PRE_public -j PRE_public_deny
--A PRE_public -j PRE_public_allow
-COMMIT
-# Completed on Wed Jan  4 15:23:09 2023
-# Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD DROP [0:0]
@@ -181,40 +36,7 @@ COMMIT
 :DOCKER-ISOLATION-STAGE-1 - [0:0]
 :DOCKER-ISOLATION-STAGE-2 - [0:0]
 :DOCKER-USER - [0:0]
-:FORWARD_IN_ZONES - [0:0]
-:FORWARD_IN_ZONES_SOURCE - [0:0]
-:FORWARD_OUT_ZONES - [0:0]
-:FORWARD_OUT_ZONES_SOURCE - [0:0]
-:FORWARD_direct - [0:0]
-:FWDI_docker - [0:0]
-:FWDI_docker_allow - [0:0]
-:FWDI_docker_deny - [0:0]
-:FWDI_docker_log - [0:0]
-:FWDI_public - [0:0]
-:FWDI_public_allow - [0:0]
-:FWDI_public_deny - [0:0]
-:FWDI_public_log - [0:0]
-:FWDO_docker - [0:0]
-:FWDO_docker_allow - [0:0]
-:FWDO_docker_deny - [0:0]
-:FWDO_docker_log - [0:0]
-:FWDO_public - [0:0]
-:FWDO_public_allow - [0:0]
-:FWDO_public_deny - [0:0]
-:FWDO_public_log - [0:0]
-:INPUT_ZONES - [0:0]
-:INPUT_ZONES_SOURCE - [0:0]
-:INPUT_direct - [0:0]
-:IN_docker - [0:0]
-:IN_docker_allow - [0:0]
-:IN_docker_deny - [0:0]
-:IN_docker_log - [0:0]
-:IN_public - [0:0]
-:IN_public_allow - [0:0]
-:IN_public_deny - [0:0]
-:IN_public_log - [0:0]
 :LOGGING - [0:0]
-:OUTPUT_direct - [0:0]
 
 {%- set count = namespace(value=0) %}
 {%- for chain, hg in assigned_hostgroups.chain.items() %}
@@ -237,12 +59,7 @@ COMMIT
 {%- endfor %}
 
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A INPUT -i lo -j ACCEPT
--A INPUT -j INPUT_direct
--A INPUT -j INPUT_ZONES_SOURCE
--A INPUT -j INPUT_ZONES
 -A INPUT -m conntrack --ctstate INVALID -j DROP
--A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j LOGGING
 -A FORWARD -j DOCKER-USER
@@ -252,16 +69,6 @@ COMMIT
 -A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT
 -A FORWARD -i sosbridge -o sosbridge -j ACCEPT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A FORWARD -i lo -j ACCEPT
--A FORWARD -j FORWARD_direct
--A FORWARD -j FORWARD_IN_ZONES_SOURCE
--A FORWARD -j FORWARD_IN_ZONES
--A FORWARD -j FORWARD_OUT_ZONES_SOURCE
--A FORWARD -j FORWARD_OUT_ZONES
--A FORWARD -m conntrack --ctstate INVALID -j DROP
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
--A OUTPUT -o lo -j ACCEPT
--A OUTPUT -j OUTPUT_direct
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 
 {%- for container in NODE_CONTAINERS %}
@@ -277,48 +84,7 @@ COMMIT
 -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP
 -A DOCKER-ISOLATION-STAGE-2 -j RETURN
 -A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING
 -A DOCKER-USER -j RETURN
--A FORWARD_IN_ZONES -i sosbridge -g FWDI_docker
--A FORWARD_IN_ZONES -i bond0 -g FWDI_public
--A FORWARD_IN_ZONES -i eth1 -g FWDI_public
--A FORWARD_IN_ZONES -i eth0 -g FWDI_public
--A FORWARD_IN_ZONES -g FWDI_public
--A FORWARD_OUT_ZONES -o sosbridge -g FWDO_docker
--A FORWARD_OUT_ZONES -o bond0 -g FWDO_public
--A FORWARD_OUT_ZONES -o eth1 -g FWDO_public
--A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
--A FORWARD_OUT_ZONES -g FWDO_public
--A FWDI_docker -j FWDI_docker_log
--A FWDI_docker -j FWDI_docker_deny
--A FWDI_docker -j FWDI_docker_allow
--A FWDI_docker -j ACCEPT
--A FWDI_public -j FWDI_public_log
--A FWDI_public -j FWDI_public_deny
--A FWDI_public -j FWDI_public_allow
--A FWDI_public -p icmp -j ACCEPT
--A FWDO_docker -j FWDO_docker_log
--A FWDO_docker -j FWDO_docker_deny
--A FWDO_docker -j FWDO_docker_allow
--A FWDO_docker -j ACCEPT
--A FWDO_public -j FWDO_public_log
--A FWDO_public -j FWDO_public_deny
--A FWDO_public -j FWDO_public_allow
--A INPUT_ZONES -i sosbridge -g IN_docker
--A INPUT_ZONES -i bond0 -g IN_public
--A INPUT_ZONES -i eth1 -g IN_public
--A INPUT_ZONES -i eth0 -g IN_public
--A INPUT_ZONES -g IN_public
--A IN_docker -j IN_docker_log
--A IN_docker -j IN_docker_deny
--A IN_docker -j IN_docker_allow
--A IN_docker -j ACCEPT
--A IN_public -j IN_public_log
--A IN_public -j IN_public_deny
--A IN_public -j IN_public_allow
--A IN_public -p icmp -j ACCEPT
--A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
 -A LOGGING -j DROP
 COMMIT
-# Completed on Wed Jan  4 15:23:09 2023