add chain to iptables state - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

2025-12-06 17:22:49 +01:00 · 2020-06-09 13:30:24 -04:00
parent 721f2682ac
commit accb3d536d
11 changed files with 394 additions and 1004 deletions
--- a/salt/firewall/assigned_hostgroups.local.map.yaml
+++ b/salt/firewall/assigned_hostgroups.local.map.yaml
@@ -6,16 +6,9 @@

 role:
  eval:
-    hostgroups:
-  helixsensor:
-    hostgroups:
+  helisensor:
  master:
-    hostgroups:
  mastersearch:
-    hostgroups:
  standalone:
-    hostgroups:
  searchnode:
-    hostgroups:
-  fleet:
-    hostgroups:
+  fleet:
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -3,286 +3,376 @@

 role:
  eval:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
  helixsensor:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
  master:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-            - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
  mastersearch:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
  standalone:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
+
  searchnode:
-    hostgroups:
-      master:
-        portgroups:
-          - {{ portgroups.elasticsearch_node }}
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.elasticsearch_node }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.elasticsearch_node }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.elasticsearch_node }}
+      INPUT:
+        hostgroups:
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
  sensor:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
+    chain:
+      INPUT:
+        hostgroups:
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
  heavynode:
-    hostgroups:
-      self:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          self:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
  fleet:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      self:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.osquery_8080 }}
-      localhost:
-        portgroups:
-          - {{ portgroups.mysql }}
-          - {{ portgroups.osquery_8080 }}
-      analyst:
-        portgroups:
-          - {{ portgroups.fleet_webui }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          self:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.osquery_8080 }}
+          localhost:
+            portgroups:
+              - {{ portgroups.mysql }}
+              - {{ portgroups.osquery_8080 }}
+          analyst:
+            portgroups:
+              - {{ portgroups.fleet_webui }}
+      INPUT:
+        hostgroups:
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
--- a/salt/firewall/hostgroups.local.yaml
+++ b/salt/firewall/hostgroups.local.yaml
@@ -4,7 +4,6 @@ firewall:
      ips:
        delete:
        insert:
-          - 10.11.1.1
    beats_endpoint:
      ips:
        delete:
@@ -44,5 +43,4 @@ firewall:
    wazuh_endpoint:
      ips:
        delete:
-        insert:
-       
+        insert:
--- a/salt/firewall/hostgroups.yaml
+++ b/salt/firewall/hostgroups.yaml
@@ -1,5 +1,10 @@
 firewall:
  hostgroups:
+    anywhere:
+      ips:
+        delete:
+        insert:
+          - 0.0.0.0/0
    dockernet:
      ips:
        delete:
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -136,30 +136,34 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:

 {% endif %} 

-{% for hostgroup, portgroups in assigned_hostgroups.role[role].hostgroups.items() %}
-  {% for action in ['insert', 'delete' ] %}
-    {% if hostgroups[hostgroup].ips[action] %}
-      {% for ip in hostgroups[hostgroup].ips[action] %}
-        {% for portgroup in portgroups.portgroups %}
-          {% for proto, ports in portgroup.items() %}
-            {% for port in ports %}
+{% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
+  {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
+    {% for action in ['insert', 'delete' ] %}
+      {% if hostgroups[hostgroup].ips[action] %}
+        {% for ip in hostgroups[hostgroup].ips[action] %}
+          {% for portgroup in portgroups.portgroups %}
+            {% for proto, ports in portgroup.items() %}
+              {% for port in ports %}

-{{action}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
+{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
  iptables.{{action}}:
    - table: filter
-    - chain: DOCKER-USER
+    - chain: {{ chain }}
    - jump: ACCEPT
    - proto: {{ proto }}
    - source: {{ ip }}
    - dport: {{ port }}
+              {% if action == 'insert' %}
    - position: 1
+              {% endif %}
    - save: True

+              {% endfor %}
            {% endfor %}
          {% endfor %}
        {% endfor %}
-      {% endfor %}
-    {% endif %}
+      {% endif %}
+    {% endfor %}
  {% endfor %}
 {% endfor %}

--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -71,6 +71,12 @@ firewall:
      sensoroni:
        tcp:
          - 443
+      ssh:
+        tcp:
+          - 22
+      syslog:
+        tcp:
+          - 514
      wazuh_minion:
        tcp:
          - 55000
--- a/salt/firewall/unneeded_hostgroups.local.yaml
+++ b/salt/firewall/unneeded_hostgroups.local.yaml
@@ -1,115 +0,0 @@
-{% import_yaml 'firewall/port_groups.yaml' as default_port_groups %}
-{% set default_port_groups = default_port_groups.firewall.aliases.ports %}
-
-{% import_yaml 'firewall/port_groups.local.yaml' as local_port_groups %}
-{% set local_port_groups = local_port_groups.firewall.aliases.ports %}
-
-{% set port_groups = local_port_groups, default=default_port_groups, merge=True %}
-
-firewall:
-  aliases:
-    analyst:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.nginx }}
-    beats_endpoint:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.beats_5044 }}
-    dockernet:
-      ips:
-        delete:
-        allow:
-          - 172.17.0.0/24
-    fleet:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.mysql }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.osquery_8080 }}
-    heavy_node:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    localhost:
-      ips:
-        delete:
-        allow:
-          - 127.0.0.1
-    master:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
-        - {{ port_groups.playbook }}
-        - {{ port_groups.mysql }}
-        - {{ port_groups.navigator }}
-        - {{ port_groups.kibana }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.osquery_8090 }}
-        - {{ port_groups.cortex }}
-        - {{ port_groups.elasticsearch_rest }}
-        - {{ port_groups.elasticsearch_node }}
-        - {{ port_groups.cortex_es_rest }}
-        - {{ port_groups.cortex_es_node }}
-    minion:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.acng }}
-        - {{ port_groups.salt_master }}
-        - {{ port_groups.docker_registry }}
-        - {{ port_groups.osquery_8080 }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.wazuh_minion }}
-    node:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.elasticsearch_node }}
-    osquery_endpoint:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.osquery_8090 }}
-    search_node:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.elasticsearch_node }}
-    self:
-      ips:
-        delete:
-        allow:
-          - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint'))))[0] }}
-    sensor:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.sensoroni }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    wazuh_endpoint:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
--- a/salt/firewall/unneeded_hostgroups.yaml
+++ b/salt/firewall/unneeded_hostgroups.yaml
@@ -1,95 +0,0 @@
-{% import_yaml 'firewall/port_groups.yaml' as port_groups %}
-{% set port_groups = port_groups.firewall.aliases.ports %}
-
-firewall:
-  aliases:
-    analyst:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.nginx }}
-    beats_endpoint:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.beats_5044 }}
-    fleet:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.mysql }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.osquery_8080 }}
-    heavy_node:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    master:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
-        - {{ port_groups.playbook }}
-        - {{ port_groups.mysql }}
-        - {{ port_groups.navigator }}
-        - {{ port_groups.kibana }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.osquery_8090 }}
-        - {{ port_groups.cortex }}
-        - {{ port_groups.elasticsearch_rest }}
-        - {{ port_groups.elasticsearch_node }}
-        - {{ port_groups.cortex_es_rest }}
-        - {{ port_groups.cortex_es_node }}
-    minion:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.acng }}
-        - {{ port_groups.salt_master }}
-        - {{ port_groups.docker_registry }}
-        - {{ port_groups.osquery_8080 }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.wazuh_minion }}
-    node:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.elasticsearch_node }}
-    osquery_endpoint:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.osquery_8090 }}
-    search_node:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.elasticsearch_node }}
-    sensor:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.sensoroni }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    wazuh_endpoint:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
--- a/salt/firewall/unneeded_ports.yml
+++ b/salt/firewall/unneeded_ports.yml
@@ -1,145 +0,0 @@
-firewall:
-  aliases:
-    analyst:
-      ports:
-        nginx:
-          tcp:
-            - 80
-            - 443
-    beats_endpoint:
-      ports:
-        beats:
-          tcp:
-            - 5044
-    fleet:
-      ports:
-        mysql:
-          tcp:
-            - 3306
-        redis:
-          tcp:
-            - 6379
-        osquery:
-          tcp:
-            - 8080
-    forward_nodes:
-      ports:
-        sensoroni:
-          tcp:
-            - 443
-        beats:
-          tcp:
-            - 5044
-        beats_so:
-          tcp:
-            - 5644
-    heavy_node:
-      ports:
-        redis:
-          tcp: 
-            - 6379
-        beats:
-            - 5044
-        beats2:
-            - 5644
-    master:
-      ports:
-        wazuh:
-          tcp:
-            - 1514
-          udp:
-            - 1514
-        playbook:
-          tcp:
-            - 3200
-        mysql:
-          tcp:
-            - 3306
-        navigator:
-          tcp:
-            - 4200
-        kibana:
-          tcp:
-            - 5601
-        redis:
-          tcp:
-            - 6379
-        influxdb:
-          tcp:
-            - 8086
-        osquery:
-          tcp:
-            - 8090
-        cortex:
-          tcp:
-            - 9001
-        elasticsearch_rest:
-          tcp:
-            - 9200
-        elasticsearch_node:
-          tcp:
-            - 9300
-        cortex_es_rest:
-          tcp:
-            - 9400
-        cortex_es_node:
-          tcp:
-            - 9500
-    minions:
-      ports:
-        acng:
-            - 3142
-        salt:
-          tcp:
-            - 4505
-            - 4506
-        registry:
-          tcp:
-            - 5000
-        osquery:
-          tcp:
-            - 8080
-        influxdb:
-          tcp:
-            - 8086
-        wazuh:
-          tcp:
-            - 55000
-    node:
-      ports:
-        elasticsearch_node:
-          tcp:
-            - 9300
-    osquery_endpoint:
-      ports:
-        fleet:
-          tcp:
-            - 8090
-    search_nodes:
-      ports:
-        redis:
-          tcp:
-            - 6379
-        elasticsearch_node:
-            - 9300
-    sensor:
-      ports:      
-    wazuh_endpoint:
-      ports:
-        wazuh:
-          tcp:
-            - 1514
-          udp:
-            - 1514
-
-        
-        
-          
-
-    
-        
-
-
-        
-        
-          
--- a/salt/firewall/unneeded_ports.yml.old
+++ b/salt/firewall/unneeded_ports.yml.old
@@ -1,63 +0,0 @@
-firewall:
-  aliases:
-    analyst:
-      ports:
-        tcp:
-          - 80
-          - 443
-        udp:
-    beats_endpoint:
-      ports:
-        tcp:
-          - 5044
-    forward_nodes:
-      ports:
-        tcp:
-          - 443
-          - 5044
-          - 5644
-          - 9822
-        udp:
-    master:
-      ports:
-        tcp:
-          - 1514
-          - 3200
-          - 3306
-          - 4200
-          - 5601
-          - 6379
-          - 8086
-          - 8090
-          - 9001
-          - 9200
-          - 9300
-          - 9400  
-          - 9500
-        udp:
-          - 1514
-    minions:
-      ports:
-        tcp:
-          - 3142
-          - 4505
-          - 4506
-          - 5000
-          - 8080
-          - 8086
-          - 55000      
-    osquery_endpoint:
-      ports:
-        tcp:
-          - 8090
-    search_nodes:
-      ports:
-        tcp:
-          - 6379
-          - 9300
-    wazuh_endpoint:
-      ports:
-        tcp:
-          - 1514
-        udp: 
-          -1514
--- a/salt/firewall/unneeded_role.map.jinja
+++ b/salt/firewall/unneeded_role.map.jinja
@@ -1,288 +0,0 @@
-{% import_yaml 'firewall/port_groups.yaml' as port_groups %}
-{% set port_groups = port_groups.firewall.aliases.ports %}
-
-role:
-  eval:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  helisensor:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  master:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-            - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  mastersearch:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  standalone:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  searchnode:
-    hostgroups:
-      master:
-        port_groups:
-          - {{ port_groups.elasticsearch_node }}
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.elasticsearch_node }}
-  sensor:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-  heavynode:
-    hostgroups:
-      self:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-  fleet:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      self:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.osquery_8080 }}
-      localhost:
-        port_groups:
-          - {{ port_groups.mysql }}
-          - {{ port_groups.osquery_8080 }}
-      analyst:
-        port_groups:
-          - {{ port_groups.fleet_webui }}