diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml
index 95aae108e..e31d9f1ed 100644
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -1138,3 +1138,66 @@ firewall:
               portgroups: []
             customhostgroup9:
               portgroups: []
+    idh:
+      chain:
+        DOCKER-USER:
+          hostgroups:
+            customhostgroup0:
+              portgroups: []
+            customhostgroup1:
+              portgroups: []
+            customhostgroup2:
+              portgroups: []
+            customhostgroup3:
+              portgroups: []
+            customhostgroup4:
+              portgroups: []
+            customhostgroup5:
+              portgroups: []
+            customhostgroup6:
+              portgroups: []
+            customhostgroup7:
+              portgroups: []
+            customhostgroup8:
+              portgroups: []
+            customhostgroup9:
+              portgroups: []
+        INPUT:
+          hostgroups:
+            anywhere:
+              portgroups: []
+            dockernet:
+              portgroups:
+                - all
+            localhost:
+              portgroups:
+                - all
+            manager:
+              portgroups:
+                - openssh
+            managersearch:
+              portgroups:
+                - openssh
+            standalone:
+              portgroups:
+                - openssh
+            customhostgroup0:
+              portgroups: []
+            customhostgroup1:
+              portgroups: []
+            customhostgroup2:
+              portgroups: []
+            customhostgroup3:
+              portgroups: []
+            customhostgroup4:
+              portgroups: []
+            customhostgroup5:
+              portgroups: []
+            customhostgroup6:
+              portgroups: []
+            customhostgroup7:
+              portgroups: []
+            customhostgroup8:
+              portgroups: []
+            customhostgroup9:
+              portgroups: []
diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
index 7a549d123..99296e0ab 100644
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -4,7 +4,18 @@
 
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
-{# add dockernet range  #}
+{# add dockernet range #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
 
+{% if GLOBALS.role == 'so-idh' %}
+{%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
+{%   do salt['defaults.merge'](FIREWALL_DEFAULT.firewall.portgroups, IDH_PORTGROUPS, in_place=True) %}
+{%   for pg in IDH_PORTGROUPS.keys() %}
+{#     idh service ports start with _idh. this prevents adding openssh to allow from anywhere #}
+{%     if pg.split('_')[0] == 'idh' %}
+{%       do FIREWALL_DEFAULT.firewall.role.idh.chain.INPUT.hostgroups.anywhere.portgroups.append(pg) %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
 {% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}