Merge pull request #10274 from Security-Onion-Solutions/ui/firewall

UI/firewall
2025-12-06 09:12:45 +01:00 · 2023-05-03 12:44:18 -04:00
parent a57ba7e35d b0bd64bc10
commit 85ce0bb472
38 changed files with 2391 additions and 1080 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -6,6 +6,8 @@ base:
    - logrotate
    - docker.soc_docker
    - docker.adv_docker
    - firewall.soc_firewall
    - firewall.adv_firewall
    - sensoroni.soc_sensoroni
    - sensoroni.adv_sensoroni
    - telegraf.soc_telegraf
@@ -68,8 +70,6 @@ base:
    - elasticsearch.adv_elasticsearch
    - backup.soc_backup
    - backup.adv_backup
    - firewall.soc_firewall
    - firewall.adv_firewall
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
@@ -108,8 +108,6 @@ base:
    - influxdb.adv_influxdb
    - backup.soc_backup
    - backup.adv_backup
    - firewall.soc_firewall
    - firewall.adv_firewall
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
@@ -145,8 +143,6 @@ base:
    - soc.soc_soc
    - backup.soc_backup
    - backup.adv_backup
    - firewall.soc_firewall
    - firewall.adv_firewall
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
@@ -223,8 +219,6 @@ base:
    - redis.adv_redis
    - influxdb.soc_influxdb
    - influxdb.adv_influxdb
    - firewall.soc_firewall
    - firewall.adv_firewall
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -1,104 +1,147 @@
-#!/usr/bin/bash
+#!/usr/bin/env python3
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# Copyright 2014-2023 Security Onion Solutions, LLC
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+#
-# https://securityonion.net/license; you may not use this file except in compliance with the
+# This program is free software: you can redistribute it and/or modify
-# Elastic License 2.0.
+# it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-. /usr/sbin/so-common
+import os
 import subprocess
 import sys
 import time
 import yaml
-if [[ $# -lt 1 ]]; then
+lockFile = "/tmp/so-firewall.lock"
-  echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>"
+hostgroupsFilename = "/opt/so/saltstack/local/pillar/firewall/soc_firewall.sls"
-  echo ""
+defaultsFilename = "/opt/so/saltstack/default/salt/firewall/defaults.yaml"
  echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
  echo ""
  exit 1
 fi
-for i in "$@"; do
+def showUsage(options, args):
-	case $i in
+  print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
-		-r=*|--role=*)
+  print('  Options:')
-			ROLE="${i#*=}"
+  print('   --apply         - After updating the firewall configuration files, apply the new firewall state')
-			shift 
+  print('')
-			;;
+  print('  General commands:')
-		-i=*|--ip=*)
+  print('    help           - Prints this usage information.')
-			IP="${i#*=}"
+  print('    apply          - Apply the firewall state.')
-			shift 
+  print('')
-			;;
+  print('  Host commands:')
-		-a=*|--apply*)
+  print('    includehost    - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
-			APPLY="${i#*=}"
+  print('    addhostgroup   - Adds a new, custom host group. Args: <GROUP_NAME>')
-			shift
+  print('')
-			;;
+  print('  Where:')
-		-*|--*)
+  print('   GROUP_NAME    - The name of an alias group (Ex: analyst)')
-			echo "Unknown option $i"
+  print('   IP            - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
-			exit 1
+  sys.exit(1)
 			;;
 		*)
 		;;
 	esac
 done
-ROLE=${ROLE,,}
+def checkApplyOption(options):
-APPLY=${APPLY,,}
+  if "--apply" in options:
    return apply(None, None)
-function rolecall() {
+def loadYaml(filename):
-	THEROLE=$1
+  file = open(filename, "r")
-	THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval fleet heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog"
+  content = file.read()
  return yaml.safe_load(content)
-	for AROLE in $THEROLES; do
+def writeYaml(filename, content):
-		if [ "$AROLE" = "$THEROLE" ]; then
+  file = open(filename, "w")
  return yaml.dump(content, file)
 def addIp(name, ip):
  content = loadYaml(hostgroupsFilename)
  defaults = loadYaml(defaultsFilename)
  allowedHostgroups = defaults['firewall']['hostgroups']
  unallowedHostgroups = ['anywhere', 'dockernet', 'localhost', 'self']
  for hg in unallowedHostgroups:
    allowedHostgroups.pop(hg)
  if not content:
    content = {'firewall': {'hostgroups': {name: []}}}
  if name in allowedHostgroups:
    if name not in content['firewall']['hostgroups']:
      hostgroup = content['firewall']['hostgroups'].update({name: [ip]})
    else:
      hostgroup = content['firewall']['hostgroups'][name]
  else:
    print('Host group not defined in salt/firewall/defaults.yaml or hostgroup name is unallowed.', file=sys.stderr)
    return 4
  ips = hostgroup
  if ips is None:
    ips = []
    hostgroup = ips
  if ip not in ips:
    ips.append(ip)
  else:
    print('Already exists', file=sys.stderr)
    return 3
  writeYaml(hostgroupsFilename, content)
  return 0
-		fi
+
-	done
+def includehost(options, args):
-	return 1
+  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
    showUsage(options, args)
  result = addIp(args[0], args[1])
  code = result
  if code == 0:
    code = checkApplyOption(options)
  return code
 def apply(options, args):
  proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
  return proc.returncode
 def main():
  options = []
  args = sys.argv[1:]
  for option in args:
    if option.startswith("--"):
      options.append(option)
      args.remove(option)
  if len(args) == 0:
    showUsage(options, None)
  commands = {
    "help": showUsage,
    "includehost": includehost,
    "apply": apply
  }
-# Make sure the required options are specified
+  code=1
 if [ -z "$ROLE" ]; then
 	echo "Please specify a role with --role="
 	exit 1
 fi
 if [ -z "$IP" ]; then
 	echo "Please specify an IP address with --ip="
 	exit 1
 fi
-# Are we dealing with a role that this script supports?
+  try:
-if rolecall "$ROLE"; then
+    lockAttempts = 0
-	echo "$ROLE is a supported role"
+    maxAttempts = 30
-else
+    while lockAttempts < maxAttempts:
-	echo "This is not a supported role"
+      lockAttempts = lockAttempts + 1
-	exit 1
+      try:
-fi
+        f = open(lockFile, "x")
        f.close()
        break
      except:
        time.sleep(2)
- # Are we dealing with an IP?
+    if lockAttempts == maxAttempts:
-if verify_ip4 "$IP"; then
+      print("Lock file (" + lockFile + ") could not be created; proceeding without lock.")
 	echo "$IP is a valid IP or CIDR"
 else
 	echo "$IP is not a valid IP or CIDR"
 	exit 1
 fi
-local_salt_dir=/opt/so/saltstack/local/salt/firewall
+    cmd = commands.get(args[0], showUsage)
    code = cmd(options, args[1:])
  finally:
    try:
      os.remove(lockFile)
    except:
      print("Lock file (" + lockFile + ") already removed")
-# Let's see if the file exists and if it does, let's see if the IP exists.
+  sys.exit(code)
 if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then
 	if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
 		echo "Host already exists"
 		exit 0
 	fi
 fi
-# If you have reached this part of your quest then let's add the IP
+if __name__ == "__main__":
-echo "Adding $IP to the $ROLE role"
+  main()
 echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
 # Check to see if we are applying this right away.
 if [ "$APPLY" = "true" ]; then
 	echo "Applying the firewall rules"
 	salt-call state.apply firewall queue=True
 	echo "Firewall rules have been applied... Review logs further if there were errors."
 	echo ""
 else
 	echo "Firewall rules will be applied next salt run"
 fi
--- a/salt/common/tools/sbin/so-firewall-minion
+++ b/salt/common/tools/sbin/so-firewall-minion
@@ -49,34 +49,34 @@ fi
 	case "$ROLE" in
        'MANAGER')
-			so-firewall --role=manager --ip="$IP"
+			so-firewall includehost manager "$IP"
 			;;
-		'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
+		'MANAGERSEARCH')
-			so-firewall --role=manager --ip="$IP"
+			so-firewall includehost manager "$IP"
-			so-firewall --role=sensors --ip="$IP"
+			so-firewall includehost searchnode "$IP" --apply
-			so-firewall --apply=true --role=searchnodes --ip="$IP"
+			;;
 		'EVAL' | 'STANDALONE' | 'IMPORT')
 			so-firewall includehost manager "$IP"
 			so-firewall includehost sensor "$IP"
 			so-firewall includehost searchnode "$IP" --apply
 			;;
 		'FLEET' | 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER')
 			case "$ROLE" in
 		'FLEET')
-					so-firewall --apply=true --role=fleet --ip="$IP"
+			so-firewall includehost fleet "$IP" --apply
 			;;
 		'SENSOR')
-					so-firewall --apply=true --role=sensors --ip="$IP"
+			so-firewall includehost sensor "$IP" --apply
 			;;
 		'SEARCHNODE')
-					so-firewall --apply=true --role=searchnodes --ip="$IP"
+			so-firewall includehost searchnode "$IP" --apply
 			;;
 		'HEAVYNODE')
-					so-firewall --role=sensors --ip="$IP"
+			so-firewall includehost sensor "$IP"
-					so-firewall --apply=true --role=heavynodes --ip="$IP"
+			so-firewall includehost heavynode "$IP" --apply
 			;;
 		'IDH')
-				    so-firewall --apply=true --role=sensors --ip="$IP"
+		    so-firewall includehost sensor "$IP" --apply
 			;;
 		'RECEIVER')
-					so-firewall --apply=true --role=receivers --ip="$IP"
+			so-firewall includehost receiver "$IP" --apply
                    ;;
           	esac
 			;;
    esac
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -1,625 +0,0 @@
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
 {% import_yaml 'firewall/ports/ports.yaml' as portgroups %}
 {% set portgroups = portgroups.firewall.ports %}
 {% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True)  %}
 {% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
 role:
  eval:
    chain:
      DOCKER-USER:
        hostgroups:
          eval:
            portgroups:
              - {{ portgroups.playbook }}
              - {{ portgroups.mysql }}
              - {{ portgroups.kibana }}
              - {{ portgroups.redis }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
          sensors:
            portgroups:
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
          searchnodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_node }}
          heavynodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_node }}
          self:
            portgroups:
              - {{ portgroups.syslog}}
          beats_endpoint:
            portgroups:
              - {{ portgroups.beats_5044 }}
          beats_endpoint_ssl:
            portgroups:
              - {{ portgroups.beats_5644 }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          elastic_agent_endpoint:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          strelka_frontend:
            portgroups:
              - {{ portgroups.strelka_frontend }}
          syslog:
            portgroups:
              - {{ portgroups.syslog }}
          analyst:
            portgroups:
              - {{ portgroups.nginx }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
  fleet:
    chain:
      DOCKER-USER:
        hostgroups:
          sensors:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          elastic_agent_endpoint:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
          standalone:
            portgroups:
              - {{ portgroups.salt_manager }}
          sensors:
            portgroups:
              - {{ portgroups.salt_manager }}
          searchnodes:
            portgroups:
              - {{ portgroups.salt_manager }}
          heavynodes:
            portgroups:
              - {{ portgroups.salt_manager }}
  manager:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - {{ portgroups.playbook }}
              - {{ portgroups.mysql }}
              - {{ portgroups.kibana }}
              - {{ portgroups.redis }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
              {% if ISAIRGAP is sameas true %}
              - {{ portgroups.agrules }}
              {% endif %}
          sensors:
            portgroups:
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
              - {{ portgroups.yum }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
          searchnodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.yum }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          heavynodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.yum }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          self:
            portgroups:
              - {{ portgroups.syslog}}
          syslog:
            portgroups:
              - {{ portgroups.syslog }}
          beats_endpoint:
            portgroups:
              - {{ portgroups.beats_5044 }}
          beats_endpoint_ssl:
            portgroups:
              - {{ portgroups.beats_5644 }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          elastic_agent_endpoint:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          endgame:
            portgroups:
              - {{ portgroups.endgame }}
          analyst:
            portgroups:
              - {{ portgroups.nginx }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
          sensors:
            portgroups:
              - {{ portgroups.salt_manager }}
          searchnodes:
            portgroups:
              - {{ portgroups.salt_manager }}
          heavynodes:
            portgroups:
              - {{ portgroups.salt_manager }}
  managersearch:
    chain:
      DOCKER-USER:
        hostgroups:
          managersearch:
            portgroups:
              - {{ portgroups.playbook }}
              - {{ portgroups.mysql }}
              - {{ portgroups.kibana }}
              - {{ portgroups.redis }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          sensors:
            portgroups:
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
              - {{ portgroups.yum }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
          searchnodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.yum }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          heavynodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.yum }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          self:
            portgroups:
              - {{ portgroups.syslog}}
          beats_endpoint:
            portgroups:
              - {{ portgroups.beats_5044 }}
          beats_endpoint_ssl:
            portgroups:
              - {{ portgroups.beats_5644 }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          elastic_agent_endpoint:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          endgame:
            portgroups:
              - {{ portgroups.endgame }}
          syslog:
            portgroups:
              - {{ portgroups.syslog }}
          analyst:
            portgroups:
              - {{ portgroups.nginx }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
          sensors:
            portgroups:
              - {{ portgroups.salt_manager }}
          searchnodes:
            portgroups:
              - {{ portgroups.salt_manager }}
          heavynodes:
            portgroups:
              - {{ portgroups.salt_manager }}
  standalone:
    chain:
      DOCKER-USER:
        hostgroups:
          localhost:
            portgroups:
              - {{ portgroups.all }}
          standalone:
            portgroups:
              - {{ portgroups.playbook }}
              - {{ portgroups.mysql }}
              - {{ portgroups.kibana }}
              - {{ portgroups.redis }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.sensoroni }}
              - {{ portgroups.yum }}
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.beats_5056 }}
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
              - {{ portgroups.endgame }}
              - {{ portgroups.strelka_frontend }}
          fleet:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.sensoroni }}
              - {{ portgroups.yum }}
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.beats_5056 }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          sensors:
            portgroups:
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.sensoroni }}
              - {{ portgroups.yum }}
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
              - {{ portgroups.beats_5056 }}
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          searchnodes:
            portgroups:
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.sensoroni }}
              - {{ portgroups.yum }}
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
          heavynodes:
            portgroups:
              - {{ portgroups.docker_registry }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.sensoroni }}
              - {{ portgroups.yum }}
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
          self:
            portgroups:
              - {{ portgroups.syslog}}
          beats_endpoint:
            portgroups:
              - {{ portgroups.beats_5044 }}
          beats_endpoint_ssl:
            portgroups:
              - {{ portgroups.beats_5644 }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          elastic_agent_endpoint:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          endgame:
            portgroups:
              - {{ portgroups.endgame }}
          strelka_frontend:
            portgroups:
              - {{ portgroups.strelka_frontend }}
          syslog:
            portgroups:
              - {{ portgroups.syslog }}
          analyst:
            portgroups:
              - {{ portgroups.nginx }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          fleet:
            portgroups:
              - {{ portgroups.salt_manager }}              
          localhost:
            portgroups:
              - {{ portgroups.all }}
          standalone:
            portgroups:
              - {{ portgroups.salt_manager }}
          sensors:
            portgroups:
              - {{ portgroups.salt_manager }}
          searchnodes:
            portgroups:
              - {{ portgroups.salt_manager }}
          heavynodes:
            portgroups:
              - {{ portgroups.salt_manager }}
  searchnode:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elasticsearch_rest }}
          dockernet:
            portgroups:
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elasticsearch_rest }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          searchnodes:
            portgroups:
              - {{ portgroups.elasticsearch_node }}
          self:
            portgroups:
              - {{ portgroups.syslog}}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
  sensor:
    chain:
      DOCKER-USER:
        hostgroups:
          self:
            portgroups:
              - {{ portgroups.syslog}}
          strelka_frontend:
            portgroups:
              - {{ portgroups.strelka_frontend }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
  heavynode:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elasticsearch_rest }}
          dockernet:
            portgroups:
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elasticsearch_rest }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          self:
            portgroups:
              - {{ portgroups.syslog}}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elasticsearch_rest }}
          strelka_frontend:
            portgroups:
              - {{ portgroups.strelka_frontend }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
  import:
    chain:
      DOCKER-USER:
        hostgroups:
          manager:
            portgroups:
              - {{ portgroups.kibana }}
              - {{ portgroups.redis }}
              - {{ portgroups.influxdb }}
              - {{ portgroups.elasticsearch_rest }}
              - {{ portgroups.elasticsearch_node }}
              - {{ portgroups.elastic_agent_control }}
          sensors:
            portgroups:
              - {{ portgroups.beats_5044 }}
              - {{ portgroups.beats_5644 }}
          searchnodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.elasticsearch_node }}
          beats_endpoint:
            portgroups:
              - {{ portgroups.beats_5044 }}
          beats_endpoint_ssl:
            portgroups:
              - {{ portgroups.beats_5644 }}
          elasticsearch_rest:
            portgroups:
              - {{ portgroups.elasticsearch_rest }}
          elastic_agent_endpoint:
            portgroups:
              - {{ portgroups.elastic_agent_control }}
              - {{ portgroups.elastic_agent_data }}
              - {{ portgroups.elastic_agent_update }}
          analyst:
            portgroups:
              - {{ portgroups.nginx }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
  receiver:
    chain:
      DOCKER-USER:
        hostgroups:
          sensors:
            portgroups:
              - {{ portgroups.beats_5644 }}
          searchnodes:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.beats_5644 }}
          self:
            portgroups:
              - {{ portgroups.redis }}
              - {{ portgroups.syslog}}
              - {{ portgroups.beats_5644 }}
          syslog:
            portgroups:
              - {{ portgroups.syslog }}
          beats_endpoint:
            portgroups:
              - {{ portgroups.beats_5044 }}
          beats_endpoint_ssl:
            portgroups:
              - {{ portgroups.beats_5644 }}
          endgame:
            portgroups:
              - {{ portgroups.endgame }}
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
              - {{ portgroups.ssh }}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
  idh:
    chain:
      INPUT:
        hostgroups:
          anywhere:
            portgroups:
            {% for service in IDH_PORTGROUPS.keys() %}
              {% if service != 'openssh' %}
              - {{ IDH_PORTGROUPS[service] }}
              {% endif %}
            {% endfor %}
          dockernet:
            portgroups:
              - {{ portgroups.all }}
          localhost:
            portgroups:
              - {{ portgroups.all }}
          manager:
            portgroups:
              - {{ IDH_PORTGROUPS.openssh }}
          standalone:
            portgroups:
              - {{ IDH_PORTGROUPS.openssh }}
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
--- a/salt/firewall/hostgroups/analyst
+++ b/salt/firewall/hostgroups/analyst
--- a/salt/firewall/hostgroups/analyst_workstations
+++ b/salt/firewall/hostgroups/analyst_workstations
--- a/salt/firewall/hostgroups/anywhere
+++ b/salt/firewall/hostgroups/anywhere
@@ -1 +0,0 @@
 0.0.0.0/0
--- a/salt/firewall/hostgroups/beats_endpoint
+++ b/salt/firewall/hostgroups/beats_endpoint
--- a/salt/firewall/hostgroups/beats_endpoint_ssl
+++ b/salt/firewall/hostgroups/beats_endpoint_ssl
--- a/salt/firewall/hostgroups/dockernet
+++ b/salt/firewall/hostgroups/dockernet
@@ -1,2 +0,0 @@
 {% from 'docker/docker.map.jinja' import DOCKER -%}
 {{ DOCKER.sorange }}
--- a/salt/firewall/hostgroups/elastic_agent_endpoint
+++ b/salt/firewall/hostgroups/elastic_agent_endpoint
--- a/salt/firewall/hostgroups/elasticsearch_rest
+++ b/salt/firewall/hostgroups/elasticsearch_rest
--- a/salt/firewall/hostgroups/endgame
+++ b/salt/firewall/hostgroups/endgame
--- a/salt/firewall/hostgroups/eval
+++ b/salt/firewall/hostgroups/eval
--- a/salt/firewall/hostgroups/fleet
+++ b/salt/firewall/hostgroups/fleet
--- a/salt/firewall/hostgroups/heavynodes
+++ b/salt/firewall/hostgroups/heavynodes
--- a/salt/firewall/hostgroups/idh
+++ b/salt/firewall/hostgroups/idh
--- a/salt/firewall/hostgroups/localhost
+++ b/salt/firewall/hostgroups/localhost
@@ -1 +0,0 @@
 127.0.0.1
--- a/salt/firewall/hostgroups/manager
+++ b/salt/firewall/hostgroups/manager
--- a/salt/firewall/hostgroups/receivers
+++ b/salt/firewall/hostgroups/receivers
--- a/salt/firewall/hostgroups/searchnodes
+++ b/salt/firewall/hostgroups/searchnodes
--- a/salt/firewall/hostgroups/self
+++ b/salt/firewall/hostgroups/self
@@ -1,2 +0,0 @@
 {% from 'vars/globals.map.jinja' import GLOBALS -%}
 {{ GLOBALS.node_ip }}
--- a/salt/firewall/hostgroups/sensors
+++ b/salt/firewall/hostgroups/sensors
--- a/salt/firewall/hostgroups/standalone
+++ b/salt/firewall/hostgroups/standalone
--- a/salt/firewall/hostgroups/strelka_frontend
+++ b/salt/firewall/hostgroups/strelka_frontend
--- a/salt/firewall/hostgroups/syslog
+++ b/salt/firewall/hostgroups/syslog
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -1,7 +1,9 @@
-{% from 'docker/docker.map.jinja' import DOCKER -%}
+{%- from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
+{%- from 'docker/docker.map.jinja' import DOCKER %}
-{% from 'firewall/map.jinja' import hostgroups with context -%}
+{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
-{% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
+{%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
 {%- set PR = [] %}
 {%- set D1 = [] %}
 {%- set D2 = [] %}
@@ -70,23 +72,17 @@ COMMIT
 :DOCKER-USER - [0:0]
 :LOGGING - [0:0]
-{%- set count = namespace(value=0) %}
+{%- for chn, hostgroups in FIREWALL_MERGED.role[role].chain.items() %}
-{%- for chain, hg in assigned_hostgroups.chain.items() %}
+{%-   for hostgroup, portgroups in hostgroups['hostgroups'].items() %}
-  {%- for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
+{%-     for ip in FIREWALL_MERGED.hostgroups[hostgroup] %}
-    {%- for action in ['insert', 'delete' ] %}
+{%-       for groupname in portgroups['portgroups'] %}
-      {%- if hostgroups[hostgroup].ips[action] %}
+{%-         for proto, ports in FIREWALL_MERGED['portgroups'][groupname].items() %}
        {%- for ip in hostgroups[hostgroup].ips[action] %}
          {%- for portgroup in portgroups.portgroups %}
            {%- for proto, ports in portgroup.items() %}
 {%-           for port in ports %}
-                {%- set count.value = count.value + 1 %}
+-A {{chn}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
 -A {{chain}} -s {{ip}} -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
 {%-           endfor %}
 {%-         endfor %}
 {%-       endfor %}
 {%-     endfor %}
      {%- endif %}
    {%- endfor %}
 {%-   endfor %}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,62 +1,21 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set role = grains.id.split('_') | last %}
+{% from 'docker/docker.map.jinja' import DOCKER %}
-{% set translated_pillar_assigned_hostgroups = {} %}
+{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
-{% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %}
+{# add our ip to self #}
-{% set default_portgroups = default_portgroups.firewall.ports %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
-{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %}
+{# add dockernet range #}
-{% if local_portgroups.firewall.ports %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
  {% set local_portgroups = local_portgroups.firewall.ports %}
 {% else %}
  {% set local_portgroups = {} %}
 {% endif %}
 {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
 {% set defined_portgroups = portgroups %}
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
-{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %}
+{%   do salt['defaults.merge'](FIREWALL_DEFAULT.firewall.portgroups, IDH_PORTGROUPS, in_place=True) %}
 {%   for pg in IDH_PORTGROUPS.keys() %}
 {#     idh service ports start with _idh. this prevents adding openssh to allow from anywhere #}
 {%     if pg.split('_')[0] == 'idh' %}
 {%       do FIREWALL_DEFAULT.firewall.role.idh.chain.INPUT.hostgroups.anywhere.portgroups.append(pg) %}
 {%     endif %}
 {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %}
 {% set hostgroup_list =  salt['cp.list_master'](prefix='firewall/hostgroups') %}
 {% for hg in hostgroup_list %}
 {%   import_text hg as hg_ips %}
 {%   do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %}
 {% endfor %}
 {% set hostgroups = local_hostgroups.firewall.hostgroups %}
 {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
 {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
  {% set translated_pillar_assigned_hostgroups = {'chain': {}} %}
  {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
    {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
      {% if translated_pillar_assigned_hostgroups.chain[chain] is defined %}
        {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %}
      {% else %}
        {% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %}
      {% endif %}
      {% for pillar_portgroup in pillar_portgroups.portgroups %}
        {% set pillar_portgroup = pillar_portgroup.split('.') | last %}
        {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
      {% endfor %}
    {% endfor %}
 {%   endfor %}
 {% endif %}
-{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
+{% set FIREWALL_MERGED = salt['pillar.get']('firewall', FIREWALL_DEFAULT.firewall, merge=True) %}
 {% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
 {% if local_assigned_hostgroups.role.get(role, False) %}
  {% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %}
 {% else %}
  {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}
 {% endif %}
 {% if translated_pillar_assigned_hostgroups %}
  {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
 {% endif %}
--- a/salt/firewall/ports/ports.yaml
+++ b/salt/firewall/ports/ports.yaml
@@ -1,84 +0,0 @@
 firewall:
  ports:
    all:
      tcp:
        - '0:65535'
      udp:
        - '0:65535'
    agrules:
      tcp:
        - 7788
    beats_5044:
      tcp:
        - 5044
    beats_5644:
      tcp:
        - 5644
    beats_5066:
      tcp:
        - 5066
    beats_5056:
      tcp:
        - 5056
    docker_registry:
      tcp:
        - 5000
    elasticsearch_node:
      tcp:
        - 9300
    elasticsearch_rest:
      tcp:
        - 9200
    elastic_agent_control:
      tcp:
        - 8220
    elastic_agent_data:
      tcp:
        - 5055
    elastic_agent_update:
      tcp:
        - 8443
    endgame:
      tcp:
        - 3765
    influxdb:
      tcp:
        - 8086
    kibana:
      tcp:
        - 5601
    mysql:
      tcp:
        - 3306
    nginx:
      tcp:
        - 80
        - 443
    playbook:
      tcp:
        - 3000
    redis:
      tcp:
        - 6379
        - 9696
    salt_manager:
      tcp:
        - 4505
        - 4506
    sensoroni:
      tcp:
        - 443
    ssh:
      tcp:
        - 22
    strelka_frontend:
      tcp:
        - 57314
    syslog:
      tcp:
        - 514
      udp:
        - 514
    yum:
      tcp:
        - 443
--- a/salt/firewall/soc/defaults_soc_firewall.yaml
+++ b/salt/firewall/soc/defaults_soc_firewall.yaml
@@ -1,136 +0,0 @@
 firewall:
  custom_groups:
    groups:
      description: List of group names to create.
      multiline: True
      forcedType: "[]string"
      global: True
      title: Custom Firewall Groups
      helpLink: firewall.html#host-groups
  hostgroups:
    analyst_workstations:
      description: List of IP addresses or CIDR blocks to allow analyst workstations.
      file: True
      global: True
      title: Analyst Workstations
      helpLink: firewall.html#host-groups
    analyst: 
      description: List of IP addresses or CIDR blocks to allow analyst connections.
      file: True
      global: True
      title: Analyst
      helpLink: firewall.html#host-groups
    beats_endpoint:
      description: List of IP addresses or CIDR blocks of standard beats without encryption.
      file: True
      global: True
      title: Beats Endpoints
      helpLink: firewall.html#host-groups
    beats_endpoint_ssl:
      description: List of IP addresses or CIDR blocks of standard beats with encryption.
      file: True
      global: True
      title: Beats Endpoints SSL
      helpLink: firewall.html#host-groups
    elastic_agent_endpoint:
      description: List of IP addresses or CIDR blocks for Elastic Agent connections.
      file: True
      global: True
      title: Elastic Agents
      helpLink: firewall.html#host-groups
    elasticsearch_rest:
      description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
      file: True
      global: True
      title: Elasticsearch Rest
      advanced: True
      helpLink: firewall.html#host-groups
    endgame:
      description: List of IP addresses or CIDR blocks to allow Endgame access.
      file: True
      global: True
      title: Endgame
      advanced: True
      helpLink: firewall.html#host-groups
    strelka_frontend:
      description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
      file: True
      global: True
      title: Strelka Frontend
      advanced: True
      helpLink: firewall.html#host-groups
    syslog:
      description: List of IP addresses or CIDR blocks to allow syslog.
      file: True
      global: True
      title: Syslog Endpoint Traffic
      helpLink: firewall.html#host-groups
    standalone: 
      description: List of IP addresses or CIDR blocks to allow standalone connections.
      file: True
      global: True
      title: Standalone
      advanced: True
      helpLink: firewall.html#host-groups
    eval: 
      description: List of IP addresses or CIDR blocks to allow eval connections.
      file: True
      global: True
      title: Eval
      advanced: True
      helpLink: firewall.html#host-groups
    idh: 
      description: List of IP addresses or CIDR blocks to allow idh connections.
      file: True
      global: True
      title: IDH Nodes
      helpLink: firewall.html#host-groups
    manager: 
      description: List of IP addresses or CIDR blocks to allow manager connections.
      file: True
      global: True
      title: Manager
      advanced: True
      helpLink: firewall.html#host-groups
    heavynodes: 
      description: List of IP addresses or CIDR blocks to allow heavynode connections.
      file: True
      global: True
      title: Heavy Nodes
      helpLink: firewall.html#host-groups
    searchnodes: 
      description: List of IP addresses or CIDR blocks to allow searchnode connections.
      file: True
      global: True
      title: Search Nodes
      helpLink: firewall.html#host-groups
    sensors:
      description: List of IP addresses or CIDR blocks to allow Sensor connections.
      file: True
      global: True
      title: Sensors
      helpLink: firewall.html#host-groups
    receivers: 
      description: List of IP addresses or CIDR blocks to allow receiver connections.
      file: True
      global: True
      title: Receivers
      helpLink: firewall.html#host-groups
  portgroups:
    portgroups__yaml:
      description: Port Groups
      file: True
      global: True
      advanced: True
      title: Port Groups
      syntax: yaml
      helpLink: firewall.html#function
  ports:
    ports__yaml:
      description: Ports in YAML.
      file: True
      global: True
      advanced: True
      title: Ports
      syntax: yaml
      helpLink: firewall.html#port-groups
--- a/salt/firewall/soc/init.sls
+++ b/salt/firewall/soc/init.sls
@@ -1,5 +0,0 @@
 soc_firewall_yaml:
  file.managed:
    - name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml
    - source: salt://firewall/soc/soc_firewall.yaml.jinja
    - template: jinja
--- a/salt/firewall/soc/soc.map.jinja
+++ b/salt/firewall/soc/soc.map.jinja
@@ -1,9 +0,0 @@
 {% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
 {% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %}
 {% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %}
 {% for group in PILLAR_SOC_FIREWALL_GROUPS %}
 {%   set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %}
 {%   set title = group[0]|upper ~ group[1:] %}
 {%   do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %}
 {% endfor %}
--- a/salt/firewall/soc/soc_firewall.yaml.jinja
+++ b/salt/firewall/soc/soc_firewall.yaml.jinja
@@ -1,2 +0,0 @@
 {% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}
 {{ SOC_FIREWALL | yaml(False) }}
--- a/salt/firewall/soc_firewall.yaml
+++ b/salt/firewall/soc_firewall.yaml
@@ -0,0 +1,966 @@
 firewall:
  hostgroups:
    analyst: &hostgroupsettings
      description: List of IP or CIDR blocks to allow access to this hostgroup.
      forcedType: "[]string"
      helplink: firewall.html
      multiline: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
      regexFailureMessage: You must enter a valid IP address or CIDR.
    anywhere: &hostgroupsettingsadv
      description: List of IP or CIDR blocks to allow access to this hostgroup.
      forcedType: "[]string"
      helplink: firewall.html
      multiline: True
      advanced: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
      regexFailureMessage: You must enter a valid IP address or CIDR.
    beats_endpoint: *hostgroupsettings
    beats_endpoint_ssl: *hostgroupsettings
    dockernet: &ROhostgroupsettingsadv
      description: List of IP or CIDR blocks to allow access to this hostgroup.
      forcedType: "[]string"
      helplink: firewall.html
      multiline: True
      advanced: True
      readonly: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
      regexFailureMessage: You must enter a valid IP address or CIDR.
    elastic_agent_endpoint: *hostgroupsettings
    elasticsearch_rest: *hostgroupsettingsadv
    endgame: *hostgroupsettingsadv
    eval: *hostgroupsettings
    fleet: *hostgroupsettings
    heavynode: *hostgroupsettings
    idh: *hostgroupsettings
    import: *hostgroupsettings
    localhost: *ROhostgroupsettingsadv
    manager: *hostgroupsettings
    managersearch: *hostgroupsettings
    receiver: *hostgroupsettings
    searchnode: *hostgroupsettings
    securityonion_desktop: *hostgroupsettings
    self: *ROhostgroupsettingsadv
    sensor: *hostgroupsettings
    standalone: *hostgroupsettings
    strelka_frontend: *hostgroupsettings
    syslog: *hostgroupsettings
    customhostgroup0: &customhostgroupsettings
      description: List of IP or CIDR blocks to allow to this hostgroup.
      forcedType: "[]string"
      helpLink: firewall.html
      advanced: True
      multiline: True
      regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
      regexFailureMessage: You must enter a valid IP address or CIDR.
    customhostgroup1: *customhostgroupsettings
    customhostgroup2: *customhostgroupsettings
    customhostgroup3: *customhostgroupsettings
    customhostgroup4: *customhostgroupsettings
    customhostgroup5: *customhostgroupsettings
    customhostgroup6: *customhostgroupsettings
    customhostgroup7: *customhostgroupsettings
    customhostgroup8: *customhostgroupsettings
    customhostgroup9: *customhostgroupsettings
  portgroups:
    all:
      tcp: &tcpsettings
        description: List of TCP ports for this port group.
        forcedType: "[]string"
        helplink: firewall.html
        advanced: True
        multiline: True
      udp: &udpsettings
        description: List of UDP ports for this port group.
        forcedType: "[]string"
        helplink: firewall.html
        advanced: True
        multiline: True
    agrules:
      tcp: *tcpsettings
      udp: *udpsettings
    beats_5044:
      tcp: *tcpsettings
      udp: *udpsettings
    beats_5644:
      tcp: *tcpsettings
      udp: *udpsettings
    beats_5066:
      tcp: *tcpsettings
      udp: *udpsettings
    beats_5056:
      tcp: *tcpsettings
      udp: *udpsettings 
    docker_registry:
      tcp: *tcpsettings
      udp: *udpsettings
    elasticsearch_node:
      tcp: *tcpsettings
      udp: *udpsettings
    elasticsearch_rest:
      tcp: *tcpsettings
      udp: *udpsettings
    elastic_agent_control:
      tcp: *tcpsettings
      udp: *udpsettings
    elastic_agent_data:
      tcp: *tcpsettings
      udp: *udpsettings
    elastic_agent_update:
      tcp: *tcpsettings
      udp: *udpsettings
    endgame:
      tcp: *tcpsettings
      udp: *udpsettings
    influxdb:
      tcp: *tcpsettings
      udp: *udpsettings
    kibana:
      tcp: *tcpsettings
      udp: *udpsettings
    mysql:
      tcp: *tcpsettings
      udp: *udpsettings
    nginx:
      tcp: *tcpsettings
      udp: *udpsettings
    playbook:
      tcp: *tcpsettings
      udp: *udpsettings
    redis:
      tcp: *tcpsettings
      udp: *udpsettings
    salt_manager:
      tcp: *tcpsettings
      udp: *udpsettings
    sensoroni:
      tcp: *tcpsettings
      udp: *udpsettings
    ssh:
      tcp: *tcpsettings
      udp: *udpsettings
    strelka_frontend:
      tcp: *tcpsettings
      udp: *udpsettings 
    syslog:
      tcp: *tcpsettings
      udp: *udpsettings
    yum:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup0:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup1:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup2:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup3:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup4:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup5:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup6:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup7:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup8:
      tcp: *tcpsettings
      udp: *udpsettings
    customportgroup9:
      tcp: *tcpsettings
      udp: *udpsettings
  role:
    eval:
      chain:
        DOCKER-USER:
          hostgroups:
            eval:
              portgroups: &portgroupsdocker
                description: Portgroups to add access to the docker containers for this role.
                advanced: True
                multiline: True
                helpLink: firewall.html
            sensor:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            heavynode:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            beats_endpoint: 
              portgroups: *portgroupsdocker
            beats_endpoint_ssl:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            elastic_agent_endpoint:
              portgroups: *portgroupsdocker
            strelka_frontend:
              portgroups: *portgroupsdocker
            syslog:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker            
        INPUT:
          hostgroups:
            anywhere:
              portgroups: &portgroupshost
                description: Portgroups to add access to the host.
                advanced: True
                multiline: True
                helpLink: firewall.html
            dockernet: 
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    fleet:
      chain:
        DOCKER-USER:
          hostgroups:
            sensor:
              portgroups: *portgroupsdocker
            elastic_agent_endpoint:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupsdocker
            standalone:
              portgroups: *portgroupshost
            sensor:
              portgroups: *portgroupshost
            searchnode:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    manager:
      chain:
        DOCKER-USER:
          hostgroups:
            manager:
              portgroups: *portgroupsdocker                
            sensor:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            heavynode:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            syslog:
              portgroups: *portgroupsdocker
            beats_endpoint:
              portgroups: *portgroupsdocker
            beats_endpoint_ssl:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            elastic_agent_endpoint:
              portgroups: *portgroupsdocker
            endgame:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            sensor:
              portgroups: *portgroupshost
            searchnode:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    managersearch:
      chain:
        DOCKER-USER:
          hostgroups:
            managersearch:
              portgroups: *portgroupsdocker
            sensor:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            heavynode:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            beats_endpoint:
              portgroups: *portgroupsdocker
            beats_endpoint_ssl:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            elastic_agent_endpoint:
              portgroups: *portgroupsdocker
            endgame:
              portgroups: *portgroupsdocker
            syslog:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            sensor:
              portgroups: *portgroupshost
            searchnode:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    standalone:
      chain:
        DOCKER-USER:
          hostgroups:
            localhost:
              portgroups: *portgroupsdocker
            standalone:
              portgroups: *portgroupsdocker
            fleet:
              portgroups: *portgroupsdocker
            sensor:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            heavynode:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            beats_endpoint:
              portgroups: *portgroupsdocker
            beats_endpoint_ssl:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            elastic_agent_endpoint:
              portgroups: *portgroupsdocker
            endgame:
              portgroups: *portgroupsdocker
            strelka_frontend:
              portgroups: *portgroupsdocker
            syslog:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            fleet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            standalone:
              portgroups: *portgroupshost
            sensor:
              portgroups: *portgroupshost
            searchnode:
              portgroups: *portgroupshost
            heavynode:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    searchnode:
      chain:
        DOCKER-USER:
          hostgroups:
            manager:
              portgroups: *portgroupsdocker
            dockernet:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    sensor:
      chain:
        DOCKER-USER:
          hostgroups:
            self:
              portgroups: *portgroupsdocker
            strelka_frontend:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    heavynode:
      chain:
        DOCKER-USER:
          hostgroups:
            manager:
              portgroups: *portgroupsdocker
            dockernet:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            strelka_frontend:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    import:
      chain:
        DOCKER-USER:
          hostgroups:
            manager:
              portgroups: *portgroupsdocker
            sensor:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            beats_endpoint:
              portgroups: *portgroupsdocker
            beats_endpoint_ssl:
              portgroups: *portgroupsdocker
            elasticsearch_rest:
              portgroups: *portgroupsdocker
            elastic_agent_endpoint:
              portgroups: *portgroupsdocker
            analyst:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    receiver:
      chain:
        DOCKER-USER:
          hostgroups:
            sensor:
              portgroups: *portgroupsdocker
            searchnode:
              portgroups: *portgroupsdocker
            self:
              portgroups: *portgroupsdocker
            syslog:
              portgroups: *portgroupsdocker
            beats_endpoint:
              portgroups: *portgroupsdocker
            beats_endpoint_ssl:
              portgroups: *portgroupsdocker
            endgame:
              portgroups: *portgroupsdocker
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1: 
              portgroups: *portgroupsdocker
            customhostgroup2: 
              portgroups: *portgroupsdocker
            customhostgroup3: 
              portgroups: *portgroupsdocker
            customhostgroup4: 
              portgroups: *portgroupsdocker
            customhostgroup5: 
              portgroups: *portgroupsdocker
            customhostgroup6: 
              portgroups: *portgroupsdocker
            customhostgroup7: 
              portgroups: *portgroupsdocker
            customhostgroup8: 
              portgroups: *portgroupsdocker
            customhostgroup9: 
              portgroups: *portgroupsdocker  
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1: 
              portgroups: *portgroupshost
            customhostgroup2: 
              portgroups: *portgroupshost
            customhostgroup3: 
              portgroups: *portgroupshost
            customhostgroup4: 
              portgroups: *portgroupshost
            customhostgroup5: 
              portgroups: *portgroupshost
            customhostgroup6: 
              portgroups: *portgroupshost
            customhostgroup7: 
              portgroups: *portgroupshost
            customhostgroup8: 
              portgroups: *portgroupshost
            customhostgroup9: 
              portgroups: *portgroupshost
    idh:
      chain:
        DOCKER-USER:
          hostgroups:
            customhostgroup0:
              portgroups: *portgroupsdocker
            customhostgroup1:
              portgroups: *portgroupsdocker
            customhostgroup2:
              portgroups: *portgroupsdocker
            customhostgroup3:
              portgroups: *portgroupsdocker
            customhostgroup4:
              portgroups: *portgroupsdocker
            customhostgroup5:
              portgroups: *portgroupsdocker
            customhostgroup6:
              portgroups: *portgroupsdocker
            customhostgroup7:
              portgroups: *portgroupsdocker
            customhostgroup8:
              portgroups: *portgroupsdocker
            customhostgroup9:
              portgroups: *portgroupsdocker
        INPUT:
          hostgroups:
            anywhere:
              portgroups: *portgroupshost
            dockernet:
              portgroups: *portgroupshost
            localhost:
              portgroups: *portgroupshost
            manager:
              portgroups: *portgroupshost
            managersearch:
              portgroups: *portgroupshost
            standalone:
              portgroups: *portgroupshost
            customhostgroup0:
              portgroups: *portgroupshost
            customhostgroup1:
              portgroups: *portgroupshost
            customhostgroup2:
              portgroups: *portgroupshost
            customhostgroup3:
              portgroups: *portgroupshost
            customhostgroup4:
              portgroups: *portgroupshost
            customhostgroup5:
              portgroups: *portgroupshost
            customhostgroup6:
              portgroups: *portgroupshost
            customhostgroup7:
              portgroups: *portgroupshost
            customhostgroup8:
              portgroups: *portgroupshost
            customhostgroup9:
              portgroups: *portgroupshost
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -74,7 +74,6 @@ base:
    - telegraf
    - influxdb
    - soc
    - firewall.soc
    - kratos
    - firewall
    - idstools
@@ -119,7 +118,6 @@ base:
    - telegraf
    - influxdb
    - soc
    - firewall.soc
    - kratos
    - firewall
    - manager
@@ -162,7 +160,6 @@ base:
    - telegraf
    - influxdb
    - soc
    - firewall.soc
    - kratos
    - firewall
    - idstools
@@ -226,7 +223,6 @@ base:
    - telegraf
    - influxdb
    - soc
    - firewall.soc
    - kratos
    - firewall
    - manager
@@ -296,7 +292,6 @@ base:
    - telegraf
    - influxdb
    - soc
    - firewall.soc
    - kratos
    - firewall
    - idstools
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2312,18 +2312,18 @@ set_initial_firewall_policy() {
 	case "$install_type" in
 		'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
-			$default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost $minion_type $MAINIP --apply
 			;;
 	esac
 }
 set_initial_firewall_access() {
 	if [[ ! -z "$ALLOW_CIDR" ]]; then
-		$default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true
+		$default_salt_dir/salt/common/tools/sbin/so-firewall includehost analyst $ALLOW_CIDR --apply
 	fi
 	if [[ ! -z "$MINION_CIDR" ]]; then
-		$default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false
+		$default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensors $MINION_CIDR
-		$default_salt_dir/salt/common/tools/sbin/so-firewall --role=searchnodes --ip=$MINION_CIDR --apply=true
+		$default_salt_dir/salt/common/tools/sbin/so-firewall includehost searchnodes $MINION_CIDR --apply
 	fi
 }
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -471,7 +471,7 @@ whiptail_gauge_post_setup() {
 	[ -n "$TESTING" ] && return
 	idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
-		"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \
+		"\nBy default, IDH services will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \
 		"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
		`@@ -1,2 +0,0 @@`
			`{% from 'docker/docker.map.jinja' import DOCKER -%}`
			`{{ DOCKER.sorange }}`
		`@@ -1,2 +0,0 @@`
			`{% from 'vars/globals.map.jinja' import GLOBALS -%}`
			`{{ GLOBALS.node_ip }}`
		`@@ -1,2 +0,0 @@`
			`{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%}`
			`{{ SOC_FIREWALL \| yaml(False) }}`