From dd8627f9ddba61f2e27898a7ca1baf3c647e2a74 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 7 May 2020 11:36:38 -0400
Subject: [PATCH 01/22] Initial Firewall State Simplification

---
 pillar/firewall/addfirewall.sh |   2 +-
 pillar/firewall/ports.sls      |  62 ++++++++++++
 salt/firewall/init.sls         | 180 ++++++++++++---------------------
 salt/top.sls                   |   2 +-
 setup/so-functions             |   8 +-
 5 files changed, 134 insertions(+), 120 deletions(-)
 create mode 100644 pillar/firewall/ports.sls

diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh
index fa1f1c617..9963d08db 100644
--- a/pillar/firewall/addfirewall.sh
+++ b/pillar/firewall/addfirewall.sh
@@ -8,6 +8,6 @@ IPADDRESS=$2
 if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
-  echo "  - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "      - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
   salt-call state.apply firewall queue=True
 fi
diff --git a/pillar/firewall/ports.sls b/pillar/firewall/ports.sls
new file mode 100644
index 000000000..29f711c13
--- /dev/null
+++ b/pillar/firewall/ports.sls
@@ -0,0 +1,62 @@
+firewall:
+  analyst:
+    ports:
+      tcp:
+        - 80
+        - 443
+      udp:
+  beats_endpoint:
+    ports:
+      tcp:
+        - 5044
+  forward_nodes:
+    ports:
+      tcp:
+        - 443
+        - 5044
+        - 5644
+        - 9822
+      udp:
+  master:
+    ports:
+      tcp:
+        - 1514
+        - 3200
+        - 3306
+        - 4200
+        - 5601
+        - 6379
+        - 8086
+        - 8090
+        - 9001
+        - 9200
+        - 9300
+        - 9400  
+        - 9500
+      udp:
+        - 1514
+  minions:
+    ports:
+      tcp:
+        - 3142
+        - 4505
+        - 4506
+        - 5000
+        - 8080
+        - 8086
+        - 55000      
+  osquery_endpoint:
+    ports:
+      tcp:
+        - 8090
+  search_nodes:
+    ports:
+      tcp:
+        - 6379
+        - 9300
+  wazuh_endpoint:
+    ports:
+      tcp:
+        - 1514
+      udp: 
+        -1514
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 85db566f6..a0bd50717 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -112,29 +112,6 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
-# Add rule(s) for Wazuh manager
-enable_wazuh_manager_1514_tcp_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 1514
-    - position: 1
-    - save: True
-
-enable_wazuh_manager_1514_udp_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: udp
-    - source: {{ ip }}
-    - dport: 1514
-    - position: 1
-    - save: True
-
 # Rules if you are a Master
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-helix' or grains['role'] == 'so-mastersearch' %}
 #This should be more granular
@@ -147,16 +124,16 @@ iptables_allow_master_docker:
     - position: 1
     - save: True
 
-{% for ip in pillar.get('masterfw')  %}
+{% for ip in pillar.get('firewall:master:ips')  %}
 # Allow Redis
-enable_maternode_redis_6379_{{ip}}:
+enable_masternode_{{ip}}_{{port}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
     - jump: ACCEPT
     - proto: tcp
     - source: {{ ip }}
-    - dport: 6379
+    - dport: {{ port }}
     - position: 1
     - save: True
 
@@ -292,13 +269,49 @@ enable_master_cyberchef_9080_{{ip}}:
     - position: 1
     - save: True
 
+# Add rule(s) for Wazuh manager
+enable_wazuh_manager_1514_tcp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+enable_wazuh_manager_1514_udp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: udp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+{% endfor %}
+
+{% for k in pillar.get('masterfw-custom', {}) %}
+enable_custom_masterfw_{{ k }}:
+  iptables.insert:
+    - table: filter
+    - chain: {{ k.chain }}
+    - jump: ACCEPT
+    - proto: {{ k.proto }}
+    - source: {{ k.source }}
+    - dport: {{ k.dport }}
+    - position: 1
+    - save: True
 
 {% endfor %}
 
 # Make it so all the minions can talk to salt and update etc.
-{% for ip in pillar.get('minions')  %}
+{% for ip in pillar.get('firewall:minions')  %}
 
-enable_salt_minions_4505_{{ip}}:
+enable_salt_minions_salt_4505_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: INPUT
@@ -309,7 +322,7 @@ enable_salt_minions_4505_{{ip}}:
     - position: 1
     - save: True
 
-enable_salt_minions_4506_{{ip}}:
+enable_salt_minions_salt_4506_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: INPUT
@@ -320,7 +333,7 @@ enable_salt_minions_4506_{{ip}}:
     - position: 1
     - save: True
 
-enable_salt_minions_5000_{{ip}}:
+enable_salt_minions_registry_5000_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
@@ -331,7 +344,7 @@ enable_salt_minions_5000_{{ip}}:
     - position: 1
     - save: True
 
-enable_salt_minions_3142_{{ip}}:
+enable_salt_minions_acng_3142_{{ip}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
@@ -378,7 +391,7 @@ enable_minion_wazuh_55000_{{ip}}:
 {% endfor %}
 
 # Allow Forward Nodes to send their beats traffic
-{% for ip in pillar.get('forward_nodes')  %}
+{% for ip in pillar.get('firewall:forward_nodes')  %}
 
 enable_forwardnode_beats_5044_{{ip}}:
   iptables.insert:
@@ -442,7 +455,7 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
 
 {% endif %}
 
-{% for ip in pillar.get('search_nodes')  %}
+{% for ip in pillar.get('firewall:search_nodes')  %}
 
 enable_searchnode_redis_6379_{{ip}}:
   iptables.insert:
@@ -469,7 +482,7 @@ enable_searchnode_ES_9300_{{ip}}:
 {% endfor %}
 
 # Allow Beats Endpoints to send their beats traffic
-{% for ip in pillar.get('beats_endpoint')  %}
+{% for ip in pillar.get('firewall:beats_endpoint')  %}
 
 enable_standard_beats_5044_{{ip}}:
   iptables.insert:
@@ -485,7 +498,7 @@ enable_standard_beats_5044_{{ip}}:
 {% endfor %}
 
 # Allow OSQuery Endpoints to send their traffic
-{% for ip in pillar.get('osquery_endpoint')  %}
+{% for ip in pillar.get('firewall:osquery_endpoint')  %}
 
 enable_standard_osquery_8090_{{ip}}:
   iptables.insert:
@@ -501,7 +514,7 @@ enable_standard_osquery_8090_{{ip}}:
 {% endfor %}
 
 # Allow Wazuh Endpoints to send their traffic
-{% for ip in pillar.get('wazuh_endpoint')  %}
+{% for ip in pillar.get('firewall:wazuh_endpoint')  %}
 
 enable_wazuh_endpoint_tcp_1514_{{ip}}:
   iptables.insert:
@@ -527,8 +540,8 @@ enable_wazuh_endpoint_udp_1514_{{ip}}:
 
 {% endfor %}
 
-# Allow Analysts
-{% for ip in pillar.get('analyst')  %}
+# All Analysts get the following access to the master:
+{% for ip in pillar.get('firewall:analyst')  %}
 
 enable_standard_analyst_80_{{ip}}:
   iptables.insert:
@@ -552,73 +565,12 @@ enable_standard_analyst_443_{{ip}}:
     - position: 1
     - save: True
 
-#enable_standard_analyst_3000_{{ip}}:
-#  iptables.insert:
-#    - table: filter
-#    - chain: DOCKER-USER
-#    - jump: ACCEPT
-#    - proto: tcp
-#    - source: {{ ip }}
-#    - dport: 3000
-#    - position: 1
-#    - save: True
-
-#enable_standard_analyst_7000_{{ip}}:
-#  iptables.insert:
-#    - table: filter
-#    - chain: DOCKER-USER
-#    - jump: ACCEPT
-#    - proto: tcp
-#    - source: {{ ip }}
-#    - dport: 7000
-#    - position: 1
-#    - save: True
-
-#enable_standard_analyst_9000_{{ip}}:
-#  iptables.insert:
-#    - table: filter
-#    - chain: DOCKER-USER
-#    - jump: ACCEPT
-#    - proto: tcp
-#    - source: {{ ip }}
-#    - dport: 9000
-#    - position: 1
-#    - save: True
-
-#enable_standard_analyst_9001_{{ip}}:
-#  iptables.insert:
-#    - table: filter
-#    - chain: DOCKER-USER
-#    - jump: ACCEPT
-#    - proto: tcp
-#    - source: {{ ip }}
-#    - dport: 9001
-#    - position: 1
-#    - save: True
-
-# This is temporary for sensoroni testing
-#enable_standard_analyst_9822_{{ip}}:
-#  iptables.insert:
-#    - table: filter
-#    - chain: DOCKER-USER
-#    - jump: ACCEPT
-#    - proto: tcp
-#    - source: {{ ip }}
-#    - dport: 9822
-#    - position: 1
-#    - save: True
-
 {% endfor %}
-
-# Rules for search nodes connecting to master
-
-
 {% endif %}
 
-# Rules if you are a Node
+# All Nodes get the below rules:
 {% if 'node' in grains['role'] %}
 
-#This should be more granular
 iptables_allow_docker:
   iptables.insert:
     - table: filter
@@ -652,7 +604,7 @@ enable_docker_ES_9300:
     - save: True
 
 
-{% for ip in pillar.get('masterfw')  %}
+{% for ip in pillar.get('firewall:masterfw')  %}
 
 enable_cluster_ES_9300_{{ip}}:
   iptables.insert:
@@ -669,7 +621,7 @@ enable_cluster_ES_9300_{{ip}}:
 {% endfor %}
 {% endif %}
 
-# Rules if you are a Sensor
+# All Sensors get the below rules:
 {% if grains['role'] == 'so-sensor' %}
 
 {% endif %}
@@ -678,16 +630,7 @@ enable_cluster_ES_9300_{{ip}}:
 
 # Rules if you are a Warm Node
 
-# Some Fixer upper type rules
-# Drop it like it's hot
-# Make the input policy send stuff that doesn't match to be logged and dropped
-iptables_drop_all_the_things:
-  iptables.append:
-    - table: filter
-    - chain: LOGGING
-    - jump: DROP
-    - save: True
-
+# All heavy nodes get the below rules:
 {% if grains['role'] == 'so-heavynode' %}
 # Allow Redis
 enable_heavynode_redis_6379_{{ip}}:
@@ -796,7 +739,7 @@ enable_fleettemp_osquery_8080_{{ip}}:
 
 
 # Allow Analysts to access Fleet WebUI
-{% for ip in pillar.get('analyst')  %}
+{% for ip in pillar.get('firewall:analyst')  %}
 
 enable_fleetnode_fleet_443_{{ip}}:
   iptables.insert:
@@ -812,7 +755,7 @@ enable_fleetnode_fleet_443_{{ip}}:
 {% endfor %}
 
 # Needed for osquery endpoints to checkin to Fleet API for mgt
-{% for ip in pillar.get('osquery_endpoint')  %}
+{% for ip in pillar.get('firewall:osquery_endpoint')  %}
 
 enable_fleetnode_8090_{{ip}}:
   iptables.insert:
@@ -827,4 +770,11 @@ enable_fleetnode_8090_{{ip}}:
 
 {% endfor %}
 
-{% endif %}
\ No newline at end of file
+{% endif %}
+# Make the input policy send stuff that doesn't match to be logged and dropped
+iptables_drop_all_the_things:
+  iptables.append:
+    - table: filter
+    - chain: LOGGING
+    - jump: DROP
+    - save: True
\ No newline at end of file
diff --git a/salt/top.sls b/salt/top.sls
index 6af94e26a..e5d305784 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -1,4 +1,4 @@
-{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
+{%- set BROVER = salt['pillar.get']('static:broversion', '') -%}
 {%- set WAZUH = salt['pillar.get']('static:wazuh', '0') -%}
 {%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
 {%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
diff --git a/setup/so-functions b/setup/so-functions
index dae31a79c..eaf462933 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -711,11 +711,13 @@ firewall_generate_templates() {
 	local firewall_pillar_path=/opt/so/saltstack/pillar/firewall
 	mkdir -p "$firewall_pillar_path"
 
-	for i in analyst beats_endpoint forward_nodes masterfw minions osquery_endpoint search_nodes wazuh_endpoint
+	for i in analyst beats_endpoint forward_nodes master minions osquery_endpoint search_nodes wazuh_endpoint
 	do
 	  printf '%s\n'\
-	  "$i:"\
-	  "  - 127.0.0.1"\
+	  "firewall:"
+	  "  $i:"\
+	  "    ips:" \
+	  "      - 127.0.0.1"\
 	  "" > "$firewall_pillar_path"/$i.sls
 	  echo "Added $i Template"
 	done

From 1945c57b0d8f77e661b5bd3f72a815fec2f0d321 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 7 May 2020 18:22:23 -0400
Subject: [PATCH 02/22] starting new fw format - issue/641

---
 salt/firewall/init.sls      | 432 ++----------------------------------
 salt/firewall/ports.yml     |  16 ++
 salt/firewall/ports.yml.old |  63 ++++++
 3 files changed, 93 insertions(+), 418 deletions(-)
 create mode 100644 salt/firewall/ports.yml
 create mode 100644 salt/firewall/ports.yml.old

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index a0bd50717..e6fa05638 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -11,6 +11,9 @@
 {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
 {%- set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}
 
+{% import_yaml 'firewall/ports.yml' as firewall_ports %}
+{% set firewall_aliases = salt['pillar.get']('firewall:aliases', firewall_ports.firewall.aliases, merge=True) %}
+
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
   iptables.chain_present:
@@ -124,324 +127,29 @@ iptables_allow_master_docker:
     - position: 1
     - save: True
 
-{% for ip in pillar.get('firewall:master:ips')  %}
-# Allow Redis
-enable_masternode_{{ip}}_{{port}}:
+{% for alias in ['master', 'minions', 'forward_nodes', 'search_nodes', 'beats_endpoint', 'osquery_endpoint', 'wazuh_endpoint', 'analyst'] %}
+  {% for ip in firewall_aliases[alias].ips %}
+    {% for servicename, services in firewall_aliases[alias].ports.items() %}
+      {% for proto, ports in services.items() %}
+        {% for port in ports %}
+{{alias}}_{{ip}}_{{servicename}}_{{port}}_{{proto}}:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
     - jump: ACCEPT
-    - proto: tcp
+    - proto: {{ proto }}
     - source: {{ ip }}
     - dport: {{ port }}
     - position: 1
     - save: True
-
-enable_masternode_kibana_5601_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5601
-    - position: 1
-    - save: True
-
-enable_masternode_ES_9200_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9200
-    - position: 1
-    - save: True
-
-enable_masternode_ES_9300_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9300
-    - position: 1
-    - save: True
-
-enable_masternode_ES_9400_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9400
-    - position: 1
-    - save: True
-
-enable_masternode_ES_9500_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9500
-    - position: 1
-    - save: True
-
-enable_masternode_influxdb_8086_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8086
-    - position: 1
-    - save: True
-
-enable_masternode_mysql_3306_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 3306
-    - position: 1
-    - save: True
-
-enable_master_osquery_8090_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8090
-    - position: 1
-    - save: True
-
-enable_master_playbook_3200_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 3200
-    - position: 1
-    - save: True
-
-enable_master_navigator_4200_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 4200
-    - position: 1
-    - save: True
-
-enable_master_cortex_9001_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9001
-    - position: 1
-    - save: True
-
-enable_master_cyberchef_9080_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9080
-    - position: 1
-    - save: True
-
-# Add rule(s) for Wazuh manager
-enable_wazuh_manager_1514_tcp_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 1514
-    - position: 1
-    - save: True
-
-enable_wazuh_manager_1514_udp_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: udp
-    - source: {{ ip }}
-    - dport: 1514
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-{% for k in pillar.get('masterfw-custom', {}) %}
-enable_custom_masterfw_{{ k }}:
-  iptables.insert:
-    - table: filter
-    - chain: {{ k.chain }}
-    - jump: ACCEPT
-    - proto: {{ k.proto }}
-    - source: {{ k.source }}
-    - dport: {{ k.dport }}
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-# Make it so all the minions can talk to salt and update etc.
-{% for ip in pillar.get('firewall:minions')  %}
-
-enable_salt_minions_salt_4505_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 4505
-    - position: 1
-    - save: True
-
-enable_salt_minions_salt_4506_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 4506
-    - position: 1
-    - save: True
-
-enable_salt_minions_registry_5000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5000
-    - position: 1
-    - save: True
-
-enable_salt_minions_acng_3142_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 3142
-    - position: 1
-    - save: True
-
-enable_minions_influxdb_8086_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8086
-    - position: 1
-    - save: True
-
-enable_minion_osquery_8080_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8080
-    - position: 1
-    - save: True
-
-enable_minion_wazuh_55000_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 55000
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-# Allow Forward Nodes to send their beats traffic
-{% for ip in pillar.get('firewall:forward_nodes')  %}
-
-enable_forwardnode_beats_5044_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5044
-    - position: 1
-    - save: True
-
-enable_forwardnode_beats_5644_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5644
-    - position: 1
-    - save: True
-
-enable_forwardnode_sensoroni_443_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 443
-    - position: 1
-    - save: True
-
-enable_forwardnode_sensoroni_9822_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9822
-    - position: 1
-    - save: True
-
+        {% endfor %}
+      {% endfor %}
+    {% endfor %}
+  {% endfor %}
 {% endfor %}
 
 # Allow Fleet Node to send its beats traffic
 {% if FLEET_NODE %}
-
 enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
   iptables.insert:
     - table: filter
@@ -452,120 +160,8 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
     - dport: 5644
     - position: 1
     - save: True
-
 {% endif %}
 
-{% for ip in pillar.get('firewall:search_nodes')  %}
-
-enable_searchnode_redis_6379_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 6379
-    - position: 1
-    - save: True
-
-enable_searchnode_ES_9300_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 9300
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-# Allow Beats Endpoints to send their beats traffic
-{% for ip in pillar.get('firewall:beats_endpoint')  %}
-
-enable_standard_beats_5044_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5044
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-# Allow OSQuery Endpoints to send their traffic
-{% for ip in pillar.get('firewall:osquery_endpoint')  %}
-
-enable_standard_osquery_8090_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8090
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-# Allow Wazuh Endpoints to send their traffic
-{% for ip in pillar.get('firewall:wazuh_endpoint')  %}
-
-enable_wazuh_endpoint_tcp_1514_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 1514
-    - position: 1
-    - save: True
-
-enable_wazuh_endpoint_udp_1514_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: udp
-    - source: {{ ip }}
-    - dport: 1514
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-# All Analysts get the following access to the master:
-{% for ip in pillar.get('firewall:analyst')  %}
-
-enable_standard_analyst_80_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 80
-    - position: 1
-    - save: True
-
-enable_standard_analyst_443_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 443
-    - position: 1
-    - save: True
-
-{% endfor %}
 {% endif %}
 
 # All Nodes get the below rules:
diff --git a/salt/firewall/ports.yml b/salt/firewall/ports.yml
new file mode 100644
index 000000000..0cb40b29a
--- /dev/null
+++ b/salt/firewall/ports.yml
@@ -0,0 +1,16 @@
+firewall:
+  aliases:
+    master:
+      ports:
+        sn1:
+          tcp:
+            - 1000
+            - 1001
+          udp:
+            - 1003
+        sn2:
+          tcp:
+            - 2000
+            - 2001
+          udp:
+            - 2000
\ No newline at end of file
diff --git a/salt/firewall/ports.yml.old b/salt/firewall/ports.yml.old
new file mode 100644
index 000000000..f318863c5
--- /dev/null
+++ b/salt/firewall/ports.yml.old
@@ -0,0 +1,63 @@
+firewall:
+  aliases:
+    analyst:
+      ports:
+        tcp:
+          - 80
+          - 443
+        udp:
+    beats_endpoint:
+      ports:
+        tcp:
+          - 5044
+    forward_nodes:
+      ports:
+        tcp:
+          - 443
+          - 5044
+          - 5644
+          - 9822
+        udp:
+    master:
+      ports:
+        tcp:
+          - 1514
+          - 3200
+          - 3306
+          - 4200
+          - 5601
+          - 6379
+          - 8086
+          - 8090
+          - 9001
+          - 9200
+          - 9300
+          - 9400  
+          - 9500
+        udp:
+          - 1514
+    minions:
+      ports:
+        tcp:
+          - 3142
+          - 4505
+          - 4506
+          - 5000
+          - 8080
+          - 8086
+          - 55000      
+    osquery_endpoint:
+      ports:
+        tcp:
+          - 8090
+    search_nodes:
+      ports:
+        tcp:
+          - 6379
+          - 9300
+    wazuh_endpoint:
+      ports:
+        tcp:
+          - 1514
+        udp: 
+          -1514

From 986df0c5735ce9b0c2094c3b0fd299b387416294 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 8 May 2020 11:13:23 -0400
Subject: [PATCH 03/22] Update ports.yml

---
 salt/firewall/ports.yml | 114 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 106 insertions(+), 8 deletions(-)

diff --git a/salt/firewall/ports.yml b/salt/firewall/ports.yml
index 0cb40b29a..a401ed137 100644
--- a/salt/firewall/ports.yml
+++ b/salt/firewall/ports.yml
@@ -1,16 +1,114 @@
 firewall:
   aliases:
+    analyst:
+      ports:
+        nginx:
+          tcp:
+            - 80
+            - 443
+    beats_endpoint:
+      ports:
+        beats:
+          tcp:
+            - 5044
+    forward_nodes:
+      ports:
+        sensoroni:
+          tcp:
+            - 443
+        beats:
+          tcp:
+            - 5044
+        beats_so:
+          tcp:
+            - 5644        
     master:
       ports:
-        sn1:
+        wazuh:
           tcp:
-            - 1000
-            - 1001
+            - 1514
           udp:
-            - 1003
-        sn2:
+            - 1514
+        playbook:
           tcp:
-            - 2000
-            - 2001
+            - 3200
+        mysql:
+          tcp:
+            - 3306
+        navigator:
+          tcp:
+            - 4200
+        kibana:
+          tcp:
+            - 5601
+        redis:
+          tcp:
+            - 6379
+        influxdb:
+          tcp:
+            - 8086
+        osquery:
+          tcp:
+            - 8090
+        cortex:
+          tcp:
+            - 9001
+        elasticsearch:
+          tcp:
+            - 9200
+            - 9300
+        cortex_es:
+          tcp:
+            - 9400
+            - 9500
+    minions:
+      ports:
+        acng:
+            - 3142
+        salt:
+          tcp:
+            - 4505
+            - 4506
+        registry:
+          tcp:
+            - 5000
+        osquery:
+          tcp:
+            - 8080
+        influxdb:
+          tcp:
+            - 8086
+        wazuh:
+          tcp:
+            - 55000
+    osquery_endpoint:
+      ports:
+        fleet:
+          tcp:
+            - 8090
+    search_nodes:
+      ports:
+        redis:
+          tcp:
+            - 6379
+        elasticsearch:
+            - 9300
+    wazuh_endpoint:
+      ports:
+        wazuh:
+          tcp:
+            - 1514
           udp:
-            - 2000
\ No newline at end of file
+            - 1514
+
+        
+        
+          
+
+    
+        
+
+
+        
+        
+          
\ No newline at end of file

From 470046dda91635004da6218baf794bf2fd076279 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 8 May 2020 11:16:26 -0400
Subject: [PATCH 04/22] Update setup for new format

---
 pillar/firewall/addfirewall.sh | 2 +-
 setup/so-functions             | 9 +++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh
index 9963d08db..eadb31fa2 100644
--- a/pillar/firewall/addfirewall.sh
+++ b/pillar/firewall/addfirewall.sh
@@ -8,6 +8,6 @@ IPADDRESS=$2
 if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
-  echo "      - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "        - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
   salt-call state.apply firewall queue=True
 fi
diff --git a/setup/so-functions b/setup/so-functions
index eaf462933..0e8c650ca 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -714,10 +714,11 @@ firewall_generate_templates() {
 	for i in analyst beats_endpoint forward_nodes master minions osquery_endpoint search_nodes wazuh_endpoint
 	do
 	  printf '%s\n'\
-	  "firewall:"
-	  "  $i:"\
-	  "    ips:" \
-	  "      - 127.0.0.1"\
+	  "firewall:"\
+	  "  alias:"\
+	  "    $i:"\
+	  "      ips:" \
+	  "        - 127.0.0.1"\
 	  "" > "$firewall_pillar_path"/$i.sls
 	  echo "Added $i Template"
 	done

From 85708b77c6bfeb0cf78910fa4bee21d59d28ce19 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 8 May 2020 11:47:35 -0400
Subject: [PATCH 05/22] Update aliases

---
 salt/firewall/ports.yml | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/salt/firewall/ports.yml b/salt/firewall/ports.yml
index a401ed137..acca97343 100644
--- a/salt/firewall/ports.yml
+++ b/salt/firewall/ports.yml
@@ -11,6 +11,17 @@ firewall:
         beats:
           tcp:
             - 5044
+    fleet:
+      ports:
+        mysql:
+          tcp:
+            - 3306
+        redis:
+          tcp:
+            - 6379
+        osquery:
+          tcp:
+            - 8080
     forward_nodes:
       ports:
         sensoroni:
@@ -21,7 +32,16 @@ firewall:
             - 5044
         beats_so:
           tcp:
-            - 5644        
+            - 5644
+    heavy_node:
+      ports:
+        redis:
+          tcp: 
+            - 6379
+        beats:
+            - 5044
+        beats2:
+            - 5644
     master:
       ports:
         wazuh:
@@ -53,13 +73,17 @@ firewall:
         cortex:
           tcp:
             - 9001
-        elasticsearch:
+        elasticsearch_rest:
           tcp:
             - 9200
+        elasticsearch_node:
+          tcp:
             - 9300
-        cortex_es:
+        cortex_es_rest:
           tcp:
             - 9400
+        cortex_es_node:
+          tcp:
             - 9500
     minions:
       ports:
@@ -81,6 +105,11 @@ firewall:
         wazuh:
           tcp:
             - 55000
+    node:
+      ports:
+        elasticsearch_node:
+          tcp:
+            - 9300
     osquery_endpoint:
       ports:
         fleet:
@@ -91,8 +120,10 @@ firewall:
         redis:
           tcp:
             - 6379
-        elasticsearch:
+        elasticsearch_node:
             - 9300
+    sensor:
+      ports:      
     wazuh_endpoint:
       ports:
         wazuh:

From fc2564e7bed2370fedf30734c851f4811c13a115 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 8 May 2020 12:07:16 -0400
Subject: [PATCH 06/22] Update ip lists

---
 pillar/firewall/addfirewall.sh | 2 +-
 setup/so-functions             | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh
index eadb31fa2..084006f5a 100644
--- a/pillar/firewall/addfirewall.sh
+++ b/pillar/firewall/addfirewall.sh
@@ -8,6 +8,6 @@ IPADDRESS=$2
 if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
   echo "Firewall Rule Already There"
 else
-  echo "        - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "          - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
   salt-call state.apply firewall queue=True
 fi
diff --git a/setup/so-functions b/setup/so-functions
index 0e8c650ca..6ec9815de 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -718,7 +718,9 @@ firewall_generate_templates() {
 	  "  alias:"\
 	  "    $i:"\
 	  "      ips:" \
-	  "        - 127.0.0.1"\
+	  "        delete:"\
+	  "        allow:"\
+	  "          - 127.0.0.1"\
 	  "" > "$firewall_pillar_path"/$i.sls
 	  echo "Added $i Template"
 	done

From 721f2682ac28236b2ec5100de17b8814fd468489 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 9 Jun 2020 09:40:38 -0400
Subject: [PATCH 07/22] changes for firewall -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 .../assigned_hostgroups.local.map.yaml        |  21 ++
 salt/firewall/assigned_hostgroups.map.yaml    | 288 ++++++++++++++++++
 salt/firewall/hostgroups.local.yaml           |  48 +++
 salt/firewall/hostgroups.yaml                 |  17 ++
 salt/firewall/init.sls                        | 254 ++-------------
 salt/firewall/map.jinja                       |   7 +
 salt/firewall/portgroups.local.yaml           |   3 +
 salt/firewall/portgroups.yaml                 |  81 +++++
 salt/firewall/unneeded_hostgroups.local.yaml  | 115 +++++++
 salt/firewall/unneeded_hostgroups.yaml        |  95 ++++++
 .../{ports.yml => unneeded_ports.yml}         |   0
 .../{ports.yml.old => unneeded_ports.yml.old} |   0
 salt/firewall/unneeded_role.map.jinja         | 288 ++++++++++++++++++
 13 files changed, 984 insertions(+), 233 deletions(-)
 create mode 100644 salt/firewall/assigned_hostgroups.local.map.yaml
 create mode 100644 salt/firewall/assigned_hostgroups.map.yaml
 create mode 100644 salt/firewall/hostgroups.local.yaml
 create mode 100644 salt/firewall/hostgroups.yaml
 create mode 100644 salt/firewall/map.jinja
 create mode 100644 salt/firewall/portgroups.local.yaml
 create mode 100644 salt/firewall/portgroups.yaml
 create mode 100644 salt/firewall/unneeded_hostgroups.local.yaml
 create mode 100644 salt/firewall/unneeded_hostgroups.yaml
 rename salt/firewall/{ports.yml => unneeded_ports.yml} (100%)
 rename salt/firewall/{ports.yml.old => unneeded_ports.yml.old} (100%)
 create mode 100644 salt/firewall/unneeded_role.map.jinja

diff --git a/salt/firewall/assigned_hostgroups.local.map.yaml b/salt/firewall/assigned_hostgroups.local.map.yaml
new file mode 100644
index 000000000..3484e2db6
--- /dev/null
+++ b/salt/firewall/assigned_hostgroups.local.map.yaml
@@ -0,0 +1,21 @@
+{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
+{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
+{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
+
+role:
+  eval:
+    hostgroups:
+  helixsensor:
+    hostgroups:
+  master:
+    hostgroups:
+  mastersearch:
+    hostgroups:
+  standalone:
+    hostgroups:
+  searchnode:
+    hostgroups:
+  fleet:
+    hostgroups:
\ No newline at end of file
diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
new file mode 100644
index 000000000..319bda8e1
--- /dev/null
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -0,0 +1,288 @@
+{% import_yaml 'firewall/portgroups.yaml' as portgroups %}
+{% set portgroups = portgroups.firewall.aliases.ports %}
+
+role:
+  eval:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+      master:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint }}
+          - {{ portgroups.playbook }}
+          - {{ portgroups.mysql }}
+          - {{ portgroups.navigator }}
+          - {{ portgroups.kibana }}
+          - {{ portgroups.redis }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.fleet_api }}
+          - {{ portgroups.cortex }}
+          - {{ portgroups.elasticsearch_rest }}
+          - {{ portgroups.elasticsearch_node }}
+          - {{ portgroups.cortex_es_rest }}
+          - {{ portgroups.cortex_es_node }}
+      minion:
+        portgroups:
+          - {{ portgroups.acng }}
+          - {{ portgroups.salt_master }}
+          - {{ portgroups.docker_registry }}
+          - {{ portgroups.osquery_8080 }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.wazuh_minion }}
+      sensor:
+        portgroups:
+          - {{ portgroups.sensoroni }}
+          - {{ portgroups.beats_5044 }}
+          - {{ portgroups.beats_5644 }}
+      search_node:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.elasticsearch_node }}
+      beats_endpoint:
+        portgroups:
+          - {{ portgroups.beats_5044 }}
+      osquery_endpoint:
+        portgroups:
+          - {{ portgroups.fleet_api }}
+      wazuh_endpoint:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint  }}
+      analyst:
+        portgroups:
+          - {{ portgroups.nginx }}
+  helixsensor:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+      master:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint }}
+          - {{ portgroups.playbook }}
+          - {{ portgroups.mysql }}
+          - {{ portgroups.navigator }}
+          - {{ portgroups.kibana }}
+          - {{ portgroups.redis }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.fleet_api }}
+          - {{ portgroups.cortex }}
+          - {{ portgroups.elasticsearch_rest }}
+          - {{ portgroups.elasticsearch_node }}
+          - {{ portgroups.cortex_es_rest }}
+          - {{ portgroups.cortex_es_node }}
+      minion:
+        portgroups:
+          - {{ portgroups.acng }}
+          - {{ portgroups.salt_master }}
+          - {{ portgroups.docker_registry }}
+          - {{ portgroups.osquery_8080 }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.wazuh_minion }}
+      sensor:
+        portgroups:
+          - {{ portgroups.sensoroni }}
+          - {{ portgroups.beats_5044 }}
+          - {{ portgroups.beats_5644 }}
+      search_node:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.elasticsearch_node }}
+      beats_endpoint:
+        portgroups:
+          - {{ portgroups.beats_5044 }}
+      osquery_endpoint:
+        portgroups:
+          - {{ portgroups.fleet_api }}
+      wazuh_endpoint:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint  }}
+      analyst:
+        portgroups:
+          - {{ portgroups.nginx }}
+  master:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+      master:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint }}
+          - {{ portgroups.playbook }}
+          - {{ portgroups.mysql }}
+          - {{ portgroups.navigator }}
+          - {{ portgroups.kibana }}
+          - {{ portgroups.redis }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.fleet_api }}
+          - {{ portgroups.cortex }}
+          - {{ portgroups.elasticsearch_rest }}
+          - {{ portgroups.elasticsearch_node }}
+          - {{ portgroups.cortex_es_rest }}
+          - {{ portgroups.cortex_es_node }}
+      minion:
+        portgroups:
+          - {{ portgroups.acng }}
+          - {{ portgroups.salt_master }}
+          - {{ portgroups.docker_registry }}
+          - {{ portgroups.osquery_8080 }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.wazuh_minion }}
+      sensor:
+        portgroups:
+          - {{ portgroups.sensoroni }}
+          - {{ portgroups.beats_5044 }}
+          - {{ portgroups.beats_5644 }}
+      search_node:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.elasticsearch_node }}
+      beats_endpoint:
+        portgroups:
+          - {{ portgroups.beats_5044 }}
+      osquery_endpoint:
+        portgroups:
+            - {{ portgroups.fleet_api }}
+      wazuh_endpoint:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint  }}
+      analyst:
+        portgroups:
+          - {{ portgroups.nginx }}
+  mastersearch:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+      master:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint }}
+          - {{ portgroups.playbook }}
+          - {{ portgroups.mysql }}
+          - {{ portgroups.navigator }}
+          - {{ portgroups.kibana }}
+          - {{ portgroups.redis }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.fleet_api }}
+          - {{ portgroups.cortex }}
+          - {{ portgroups.elasticsearch_rest }}
+          - {{ portgroups.elasticsearch_node }}
+          - {{ portgroups.cortex_es_rest }}
+          - {{ portgroups.cortex_es_node }}
+      minion:
+        portgroups:
+          - {{ portgroups.acng }}
+          - {{ portgroups.salt_master }}
+          - {{ portgroups.docker_registry }}
+          - {{ portgroups.osquery_8080 }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.wazuh_minion }}
+      sensor:
+        portgroups:
+          - {{ portgroups.sensoroni }}
+          - {{ portgroups.beats_5044 }}
+          - {{ portgroups.beats_5644 }}
+      search_node:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.elasticsearch_node }}
+      beats_endpoint:
+        portgroups:
+          - {{ portgroups.beats_5044 }}
+      osquery_endpoint:
+        portgroups:
+          - {{ portgroups.fleet_api }}
+      wazuh_endpoint:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint  }}
+      analyst:
+        portgroups:
+          - {{ portgroups.nginx }}
+  standalone:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+      master:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint }}
+          - {{ portgroups.playbook }}
+          - {{ portgroups.mysql }}
+          - {{ portgroups.navigator }}
+          - {{ portgroups.kibana }}
+          - {{ portgroups.redis }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.fleet_api }}
+          - {{ portgroups.cortex }}
+          - {{ portgroups.elasticsearch_rest }}
+          - {{ portgroups.elasticsearch_node }}
+          - {{ portgroups.cortex_es_rest }}
+          - {{ portgroups.cortex_es_node }}
+      minion:
+        portgroups:
+          - {{ portgroups.acng }}
+          - {{ portgroups.salt_master }}
+          - {{ portgroups.docker_registry }}
+          - {{ portgroups.osquery_8080 }}
+          - {{ portgroups.influxdb }}
+          - {{ portgroups.wazuh_minion }}
+      sensor:
+        portgroups:
+          - {{ portgroups.sensoroni }}
+          - {{ portgroups.beats_5044 }}
+          - {{ portgroups.beats_5644 }}
+      search_node:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.elasticsearch_node }}
+      beats_endpoint:
+        portgroups:
+          - {{ portgroups.beats_5044 }}
+      osquery_endpoint:
+        portgroups:
+          - {{ portgroups.fleet_api }}
+      wazuh_endpoint:
+        portgroups:
+          - {{ portgroups.wazuh_endpoint  }}
+      analyst:
+        portgroups:
+          - {{ portgroups.nginx }}
+  searchnode:
+    hostgroups:
+      master:
+        portgroups:
+          - {{ portgroups.elasticsearch_node }}
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+          - {{ portgroups.elasticsearch_node }}
+          - {{ portgroups.elasticsearch_node }}
+  sensor:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+  heavynode:
+    hostgroups:
+      self:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.beats_5044 }}
+          - {{ portgroups.beats_5644 }}
+  fleet:
+    hostgroups:
+      dockernet:
+        portgroups:
+          - {{ portgroups.all }}
+      self:
+        portgroups:
+          - {{ portgroups.redis }}
+          - {{ portgroups.mysql }}
+          - {{ portgroups.osquery_8080 }}
+      localhost:
+        portgroups:
+          - {{ portgroups.mysql }}
+          - {{ portgroups.osquery_8080 }}
+      analyst:
+        portgroups:
+          - {{ portgroups.fleet_webui }}
\ No newline at end of file
diff --git a/salt/firewall/hostgroups.local.yaml b/salt/firewall/hostgroups.local.yaml
new file mode 100644
index 000000000..c8ae00303
--- /dev/null
+++ b/salt/firewall/hostgroups.local.yaml
@@ -0,0 +1,48 @@
+firewall:
+  hostgroups:
+    analyst:
+      ips:
+        delete:
+        insert:
+          - 10.11.1.1
+    beats_endpoint:
+      ips:
+        delete:
+        insert:
+    fleet:
+      ips:
+        delete:
+        insert:
+    heavy_node:
+      ips:
+        delete:
+        insert:
+    master:
+      ips:
+        delete:
+        insert:
+    minion:
+      ips:
+        delete:
+        insert:
+    node:
+      ips:
+        delete:
+        insert:
+    osquery_endpoint:
+      ips:
+        delete:
+        insert:
+    search_node:
+      ips:
+        delete:
+        insert:
+    sensor:
+      ips:
+        delete:
+        insert:
+    wazuh_endpoint:
+      ips:
+        delete:
+        insert:
+       
\ No newline at end of file
diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml
new file mode 100644
index 000000000..fe781a848
--- /dev/null
+++ b/salt/firewall/hostgroups.yaml
@@ -0,0 +1,17 @@
+firewall:
+  hostgroups:
+    dockernet:
+      ips:
+        delete:
+        insert:
+          - 172.17.0.0/24
+    localhost:
+      ips:
+        delete:
+        insert:
+          - 127.0.0.1
+    self:
+      ips:
+        delete:
+        insert:
+          - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint'))))[0] }}
\ No newline at end of file
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 8c9930812..de4f3bfe8 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -12,8 +12,9 @@
 {% set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
 {% set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}
 
-{% import_yaml 'firewall/ports.yml' as firewall_ports %}
-{% set firewall_aliases = salt['pillar.get']('firewall:aliases', firewall_ports.firewall.aliases, merge=True) %}
+{% from 'firewall/map.jinja' import hostgroups with context %}
+{% from 'firewall/map.jinja' import assigned_hostgroups with context %}
+{% set role = grains.id.split('_') | last %}
 
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
@@ -118,36 +119,6 @@ enable_docker_user_established:
 
 # Rules if you are a Master
 {% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %}
-#This should be more granular
-iptables_allow_master_docker:
-  iptables.insert:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - source: 172.17.0.0/24
-    - position: 1
-    - save: True
-
-{% for alias in ['master', 'minions', 'forward_nodes', 'search_nodes', 'beats_endpoint', 'osquery_endpoint', 'wazuh_endpoint', 'analyst'] %}
-  {% for ip in firewall_aliases[alias].ips %}
-    {% for servicename, services in firewall_aliases[alias].ports.items() %}
-      {% for proto, ports in services.items() %}
-        {% for port in ports %}
-{{alias}}_{{ip}}_{{servicename}}_{{port}}_{{proto}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: {{ proto }}
-    - source: {{ ip }}
-    - dport: {{ port }}
-    - position: 1
-    - save: True
-        {% endfor %}
-      {% endfor %}
-    {% endfor %}
-  {% endfor %}
-{% endfor %}
 
 # Allow Fleet Node to send its beats traffic
 {% if FLEET_NODE %}
@@ -163,218 +134,35 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
     - save: True
 {% endif %}
 
-{% endif %}
+{% endif %} 
 
-# All Nodes get the below rules:
-{% if 'node' in grains['role'] %}
+{% for hostgroup, portgroups in assigned_hostgroups.role[role].hostgroups.items() %}
+  {% for action in ['insert', 'delete' ] %}
+    {% if hostgroups[hostgroup].ips[action] %}
+      {% for ip in hostgroups[hostgroup].ips[action] %}
+        {% for portgroup in portgroups.portgroups %}
+          {% for proto, ports in portgroup.items() %}
+            {% for port in ports %}
 
-iptables_allow_docker:
-  iptables.insert:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - source: 172.17.0.0/24
-    - position: 1
-    - save: True
-
-enable_docker_ES_9200:
-  iptables.insert:
+{{action}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
+  iptables.{{action}}:
     - table: filter
     - chain: DOCKER-USER
     - jump: ACCEPT
-    - proto: tcp
-    - source: 172.17.0.0/24
-    - dport: 9200
-    - position: 1
-    - save: True
-
-
-enable_docker_ES_9300:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: 172.17.0.0/24
-    - dport: 9300
-    - position: 1
-    - save: True
-
-
-{% for ip in pillar.get('firewall:masterfw')  %}
-
-enable_cluster_ES_9300_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
+    - proto: {{ proto }}
     - source: {{ ip }}
-    - dport: 9300
-    - position: 1
-    - save: True
-
-
-{% endfor %}
-{% endif %}
-
-# All Sensors get the below rules:
-{% if grains['role'] == 'so-sensor' %}
-iptables_allow_sensor_docker:
-  iptables.insert:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - source: 172.17.0.0/24
-    - position: 1
-    - save: True
-{% endif %}
-
-# Rules if you are a Hot Node
-
-# Rules if you are a Warm Node
-
-# All heavy nodes get the below rules:
-{% if grains['role'] == 'so-heavynode' %}
-# Allow Redis
-enable_heavynode_redis_6379_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 6379
-    - position: 1
-    - save: True
-
-enable_forwardnode_beats_5044_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5044
-    - position: 1
-    - save: True
-
-enable_forwardnode_beats_5644_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 5644
-    - position: 1
-    - save: True
-{% endif %}
-
-
-# Rules if you are a Standalone Fleet node
-{% if grains['role'] == 'so-fleet' %}
-#This should be more granular
-iptables_allow_fleetnode_docker:
-  iptables.insert:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - source: 172.17.0.0/24
-    - position: 1
-    - save: True
-
-# Allow Redis
-enable_fleetnode_redis_6379_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 6379
-    - position: 1
-    - save: True
-
-enable_fleetnode_mysql_3306_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 3306
-    - position: 1
-    - save: True
-
-enable_fleet_osquery_8080_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8080
-    - position: 1
-    - save: True
-
-    
-enable_fleetnodetemp_mysql_3306_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: 127.0.0.1
-    - dport: 3306
-    - position: 1
-    - save: True
-
-enable_fleettemp_osquery_8080_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: 127.0.0.1
-    - dport: 8080
-    - position: 1
-    - save: True
-
-
-# Allow Analysts to access Fleet WebUI
-{% for ip in pillar.get('firewall:analyst')  %}
-
-enable_fleetnode_fleet_443_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 443
+    - dport: {{ port }}
     - position: 1
     - save: True
 
+            {% endfor %}
+          {% endfor %}
+        {% endfor %}
+      {% endfor %}
+    {% endif %}
+  {% endfor %}
 {% endfor %}
 
-# Needed for osquery endpoints to checkin to Fleet API for mgt
-{% for ip in pillar.get('firewall:osquery_endpoint')  %}
-
-enable_fleetnode_8090_{{ip}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ ip }}
-    - dport: 8090
-    - position: 1
-    - save: True
-
-{% endfor %}
-
-{% endif %}
 # Make the input policy send stuff that doesn't match to be logged and dropped
 iptables_drop_all_the_things:
   iptables.append:
diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
new file mode 100644
index 000000000..32669692f
--- /dev/null
+++ b/salt/firewall/map.jinja
@@ -0,0 +1,7 @@
+{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
+{% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
+{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
+
+{% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
+{% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
+{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups, default_assigned_hostgroups, merge_lists=True, in_place=False) %}
\ No newline at end of file
diff --git a/salt/firewall/portgroups.local.yaml b/salt/firewall/portgroups.local.yaml
new file mode 100644
index 000000000..300d2ecda
--- /dev/null
+++ b/salt/firewall/portgroups.local.yaml
@@ -0,0 +1,3 @@
+firewall:
+  aliases:
+    ports:
\ No newline at end of file
diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml
new file mode 100644
index 000000000..bb80aa7b8
--- /dev/null
+++ b/salt/firewall/portgroups.yaml
@@ -0,0 +1,81 @@
+firewall:
+  aliases:
+    ports:
+      all:
+        tcp:
+          - '0:65535'
+        udp:
+          - '0:65535'
+      acng:
+        tcp:
+          - 3142
+      beats_5044:
+        tcp:
+          - 5044
+      beats_5644:
+        tcp:
+          - 5644
+      cortex:
+        tcp:
+          - 9001
+      cortex_es_node:
+        tcp:
+          - 9500
+      cortex_es_rest:
+        tcp:
+          - 9400
+      docker_registry:
+        tcp:
+          - 5000
+      elasticsearch_node:
+        tcp:
+          - 9300
+      elasticsearch_rest:
+        tcp:
+          - 9200
+      fleet_api:
+        tcp:
+          - 8090
+      fleet_webui:
+        tcp:
+          - 443
+      influxdb:
+        tcp:
+          - 8086
+      kibana:
+        tcp:
+          - 5601
+      mysql:
+        tcp:
+          - 3306
+      navigator:
+        tcp:
+          - 4200
+      nginx:
+        tcp:
+          - 80
+          - 443
+      osquery_8080:
+        tcp:
+          - 8080
+      playbook:
+        tcp:
+          - 3200
+      redis:
+        tcp:
+          - 6379
+      salt_master:
+        tcp:
+          - 4505
+          - 4506
+      sensoroni:
+        tcp:
+          - 443
+      wazuh_minion:
+        tcp:
+          - 55000
+      wazuh_endpoint:
+        tcp:
+          - 1514
+        udp:
+          - 1514
\ No newline at end of file
diff --git a/salt/firewall/unneeded_hostgroups.local.yaml b/salt/firewall/unneeded_hostgroups.local.yaml
new file mode 100644
index 000000000..45dd886b1
--- /dev/null
+++ b/salt/firewall/unneeded_hostgroups.local.yaml
@@ -0,0 +1,115 @@
+{% import_yaml 'firewall/port_groups.yaml' as default_port_groups %}
+{% set default_port_groups = default_port_groups.firewall.aliases.ports %}
+
+{% import_yaml 'firewall/port_groups.local.yaml' as local_port_groups %}
+{% set local_port_groups = local_port_groups.firewall.aliases.ports %}
+
+{% set port_groups = local_port_groups, default=default_port_groups, merge=True %}
+
+firewall:
+  aliases:
+    analyst:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.nginx }}
+    beats_endpoint:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.beats_5044 }}
+    dockernet:
+      ips:
+        delete:
+        allow:
+          - 172.17.0.0/24
+    fleet:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.mysql }}
+        - {{ port_groups.redis }}
+        - {{ port_groups.osquery_8080 }}
+    heavy_node:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.redis }}
+        - {{ port_groups.beats_5044 }}
+        - {{ port_groups.beats_5644 }}
+    localhost:
+      ips:
+        delete:
+        allow:
+          - 127.0.0.1
+    master:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.wazuh_endpoint }}
+        - {{ port_groups.playbook }}
+        - {{ port_groups.mysql }}
+        - {{ port_groups.navigator }}
+        - {{ port_groups.kibana }}
+        - {{ port_groups.redis }}
+        - {{ port_groups.influxdb }}
+        - {{ port_groups.osquery_8090 }}
+        - {{ port_groups.cortex }}
+        - {{ port_groups.elasticsearch_rest }}
+        - {{ port_groups.elasticsearch_node }}
+        - {{ port_groups.cortex_es_rest }}
+        - {{ port_groups.cortex_es_node }}
+    minion:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.acng }}
+        - {{ port_groups.salt_master }}
+        - {{ port_groups.docker_registry }}
+        - {{ port_groups.osquery_8080 }}
+        - {{ port_groups.influxdb }}
+        - {{ port_groups.wazuh_minion }}
+    node:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.elasticsearch_node }}
+    osquery_endpoint:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.osquery_8090 }}
+    search_node:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.redis }}
+        - {{ port_groups.elasticsearch_node }}
+    self:
+      ips:
+        delete:
+        allow:
+          - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint'))))[0] }}
+    sensor:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.sensoroni }}
+        - {{ port_groups.beats_5044 }}
+        - {{ port_groups.beats_5644 }}
+    wazuh_endpoint:
+      ips:
+        delete:
+        allow:
+      port_groups:
+        - {{ port_groups.wazuh_endpoint }}
\ No newline at end of file
diff --git a/salt/firewall/unneeded_hostgroups.yaml b/salt/firewall/unneeded_hostgroups.yaml
new file mode 100644
index 000000000..bdf7463e3
--- /dev/null
+++ b/salt/firewall/unneeded_hostgroups.yaml
@@ -0,0 +1,95 @@
+{% import_yaml 'firewall/port_groups.yaml' as port_groups %}
+{% set port_groups = port_groups.firewall.aliases.ports %}
+
+firewall:
+  aliases:
+    analyst:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.nginx }}
+    beats_endpoint:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.beats_5044 }}
+    fleet:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.mysql }}
+        - {{ port_groups.redis }}
+        - {{ port_groups.osquery_8080 }}
+    heavy_node:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.redis }}
+        - {{ port_groups.beats_5044 }}
+        - {{ port_groups.beats_5644 }}
+    master:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.wazuh_endpoint }}
+        - {{ port_groups.playbook }}
+        - {{ port_groups.mysql }}
+        - {{ port_groups.navigator }}
+        - {{ port_groups.kibana }}
+        - {{ port_groups.redis }}
+        - {{ port_groups.influxdb }}
+        - {{ port_groups.osquery_8090 }}
+        - {{ port_groups.cortex }}
+        - {{ port_groups.elasticsearch_rest }}
+        - {{ port_groups.elasticsearch_node }}
+        - {{ port_groups.cortex_es_rest }}
+        - {{ port_groups.cortex_es_node }}
+    minion:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.acng }}
+        - {{ port_groups.salt_master }}
+        - {{ port_groups.docker_registry }}
+        - {{ port_groups.osquery_8080 }}
+        - {{ port_groups.influxdb }}
+        - {{ port_groups.wazuh_minion }}
+    node:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.elasticsearch_node }}
+    osquery_endpoint:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.osquery_8090 }}
+    search_node:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.redis }}
+        - {{ port_groups.elasticsearch_node }}
+    sensor:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.sensoroni }}
+        - {{ port_groups.beats_5044 }}
+        - {{ port_groups.beats_5644 }}
+    wazuh_endpoint:
+      ips:
+        delete:
+        insert:
+      port_groups:
+        - {{ port_groups.wazuh_endpoint }}
\ No newline at end of file
diff --git a/salt/firewall/ports.yml b/salt/firewall/unneeded_ports.yml
similarity index 100%
rename from salt/firewall/ports.yml
rename to salt/firewall/unneeded_ports.yml
diff --git a/salt/firewall/ports.yml.old b/salt/firewall/unneeded_ports.yml.old
similarity index 100%
rename from salt/firewall/ports.yml.old
rename to salt/firewall/unneeded_ports.yml.old
diff --git a/salt/firewall/unneeded_role.map.jinja b/salt/firewall/unneeded_role.map.jinja
new file mode 100644
index 000000000..f2858b509
--- /dev/null
+++ b/salt/firewall/unneeded_role.map.jinja
@@ -0,0 +1,288 @@
+{% import_yaml 'firewall/port_groups.yaml' as port_groups %}
+{% set port_groups = port_groups.firewall.aliases.ports %}
+
+role:
+  eval:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+      master:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint }}
+          - {{ port_groups.playbook }}
+          - {{ port_groups.mysql }}
+          - {{ port_groups.navigator }}
+          - {{ port_groups.kibana }}
+          - {{ port_groups.redis }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.fleet_api }}
+          - {{ port_groups.cortex }}
+          - {{ port_groups.elasticsearch_rest }}
+          - {{ port_groups.elasticsearch_node }}
+          - {{ port_groups.cortex_es_rest }}
+          - {{ port_groups.cortex_es_node }}
+      minion:
+        port_groups:
+          - {{ port_groups.acng }}
+          - {{ port_groups.salt_master }}
+          - {{ port_groups.docker_registry }}
+          - {{ port_groups.osquery_8080 }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.wazuh_minion }}
+      sensor:
+        port_groups:
+          - {{ port_groups.sensoroni }}
+          - {{ port_groups.beats_5044 }}
+          - {{ port_groups.beats_5644 }}
+      search_node:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.elasticsearch_node }}
+      beats_endpoint:
+        port_groups:
+          - {{ port_groups.beats_5044 }}
+      osquery_endpoint:
+        port_groups:
+          - {{ port_groups.fleet_api }}
+      wazuh_endpoint:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint  }}
+      analyst:
+        port_groups:
+          - {{ port_groups.nginx }}
+  helisensor:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+      master:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint }}
+          - {{ port_groups.playbook }}
+          - {{ port_groups.mysql }}
+          - {{ port_groups.navigator }}
+          - {{ port_groups.kibana }}
+          - {{ port_groups.redis }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.fleet_api }}
+          - {{ port_groups.cortex }}
+          - {{ port_groups.elasticsearch_rest }}
+          - {{ port_groups.elasticsearch_node }}
+          - {{ port_groups.cortex_es_rest }}
+          - {{ port_groups.cortex_es_node }}
+      minion:
+        port_groups:
+          - {{ port_groups.acng }}
+          - {{ port_groups.salt_master }}
+          - {{ port_groups.docker_registry }}
+          - {{ port_groups.osquery_8080 }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.wazuh_minion }}
+      sensor:
+        port_groups:
+          - {{ port_groups.sensoroni }}
+          - {{ port_groups.beats_5044 }}
+          - {{ port_groups.beats_5644 }}
+      search_node:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.elasticsearch_node }}
+      beats_endpoint:
+        port_groups:
+          - {{ port_groups.beats_5044 }}
+      osquery_endpoint:
+        port_groups:
+          - {{ port_groups.fleet_api }}
+      wazuh_endpoint:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint  }}
+      analyst:
+        port_groups:
+          - {{ port_groups.nginx }}
+  master:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+      master:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint }}
+          - {{ port_groups.playbook }}
+          - {{ port_groups.mysql }}
+          - {{ port_groups.navigator }}
+          - {{ port_groups.kibana }}
+          - {{ port_groups.redis }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.fleet_api }}
+          - {{ port_groups.cortex }}
+          - {{ port_groups.elasticsearch_rest }}
+          - {{ port_groups.elasticsearch_node }}
+          - {{ port_groups.cortex_es_rest }}
+          - {{ port_groups.cortex_es_node }}
+      minion:
+        port_groups:
+          - {{ port_groups.acng }}
+          - {{ port_groups.salt_master }}
+          - {{ port_groups.docker_registry }}
+          - {{ port_groups.osquery_8080 }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.wazuh_minion }}
+      sensor:
+        port_groups:
+          - {{ port_groups.sensoroni }}
+          - {{ port_groups.beats_5044 }}
+          - {{ port_groups.beats_5644 }}
+      search_node:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.elasticsearch_node }}
+      beats_endpoint:
+        port_groups:
+          - {{ port_groups.beats_5044 }}
+      osquery_endpoint:
+        port_groups:
+            - {{ port_groups.fleet_api }}
+      wazuh_endpoint:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint  }}
+      analyst:
+        port_groups:
+          - {{ port_groups.nginx }}
+  mastersearch:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+      master:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint }}
+          - {{ port_groups.playbook }}
+          - {{ port_groups.mysql }}
+          - {{ port_groups.navigator }}
+          - {{ port_groups.kibana }}
+          - {{ port_groups.redis }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.fleet_api }}
+          - {{ port_groups.cortex }}
+          - {{ port_groups.elasticsearch_rest }}
+          - {{ port_groups.elasticsearch_node }}
+          - {{ port_groups.cortex_es_rest }}
+          - {{ port_groups.cortex_es_node }}
+      minion:
+        port_groups:
+          - {{ port_groups.acng }}
+          - {{ port_groups.salt_master }}
+          - {{ port_groups.docker_registry }}
+          - {{ port_groups.osquery_8080 }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.wazuh_minion }}
+      sensor:
+        port_groups:
+          - {{ port_groups.sensoroni }}
+          - {{ port_groups.beats_5044 }}
+          - {{ port_groups.beats_5644 }}
+      search_node:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.elasticsearch_node }}
+      beats_endpoint:
+        port_groups:
+          - {{ port_groups.beats_5044 }}
+      osquery_endpoint:
+        port_groups:
+          - {{ port_groups.fleet_api }}
+      wazuh_endpoint:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint  }}
+      analyst:
+        port_groups:
+          - {{ port_groups.nginx }}
+  standalone:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+      master:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint }}
+          - {{ port_groups.playbook }}
+          - {{ port_groups.mysql }}
+          - {{ port_groups.navigator }}
+          - {{ port_groups.kibana }}
+          - {{ port_groups.redis }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.fleet_api }}
+          - {{ port_groups.cortex }}
+          - {{ port_groups.elasticsearch_rest }}
+          - {{ port_groups.elasticsearch_node }}
+          - {{ port_groups.cortex_es_rest }}
+          - {{ port_groups.cortex_es_node }}
+      minion:
+        port_groups:
+          - {{ port_groups.acng }}
+          - {{ port_groups.salt_master }}
+          - {{ port_groups.docker_registry }}
+          - {{ port_groups.osquery_8080 }}
+          - {{ port_groups.influxdb }}
+          - {{ port_groups.wazuh_minion }}
+      sensor:
+        port_groups:
+          - {{ port_groups.sensoroni }}
+          - {{ port_groups.beats_5044 }}
+          - {{ port_groups.beats_5644 }}
+      search_node:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.elasticsearch_node }}
+      beats_endpoint:
+        port_groups:
+          - {{ port_groups.beats_5044 }}
+      osquery_endpoint:
+        port_groups:
+          - {{ port_groups.fleet_api }}
+      wazuh_endpoint:
+        port_groups:
+          - {{ port_groups.wazuh_endpoint  }}
+      analyst:
+        port_groups:
+          - {{ port_groups.nginx }}
+  searchnode:
+    hostgroups:
+      master:
+        port_groups:
+          - {{ port_groups.elasticsearch_node }}
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+          - {{ port_groups.elasticsearch_node }}
+          - {{ port_groups.elasticsearch_node }}
+  sensor:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+  heavynode:
+    hostgroups:
+      self:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.beats_5044 }}
+          - {{ port_groups.beats_5644 }}
+  fleet:
+    hostgroups:
+      dockernet:
+        port_groups:
+          - {{ port_groups.all }}
+      self:
+        port_groups:
+          - {{ port_groups.redis }}
+          - {{ port_groups.mysql }}
+          - {{ port_groups.osquery_8080 }}
+      localhost:
+        port_groups:
+          - {{ port_groups.mysql }}
+          - {{ port_groups.osquery_8080 }}
+      analyst:
+        port_groups:
+          - {{ port_groups.fleet_webui }}
\ No newline at end of file

From accb3d536d2976dcf244311e9a16bf8fc5622614 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 9 Jun 2020 13:30:24 -0400
Subject: [PATCH 08/22] add chain to iptables state -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 .../assigned_hostgroups.local.map.yaml        |  11 +-
 salt/firewall/assigned_hostgroups.map.yaml    | 640 ++++++++++--------
 salt/firewall/hostgroups.local.yaml           |   4 +-
 salt/firewall/hostgroups.yaml                 |   5 +
 salt/firewall/init.sls                        |  26 +-
 salt/firewall/portgroups.yaml                 |   6 +
 salt/firewall/unneeded_hostgroups.local.yaml  | 115 ----
 salt/firewall/unneeded_hostgroups.yaml        |  95 ---
 salt/firewall/unneeded_ports.yml              | 145 ----
 salt/firewall/unneeded_ports.yml.old          |  63 --
 salt/firewall/unneeded_role.map.jinja         | 288 --------
 11 files changed, 394 insertions(+), 1004 deletions(-)
 delete mode 100644 salt/firewall/unneeded_hostgroups.local.yaml
 delete mode 100644 salt/firewall/unneeded_hostgroups.yaml
 delete mode 100644 salt/firewall/unneeded_ports.yml
 delete mode 100644 salt/firewall/unneeded_ports.yml.old
 delete mode 100644 salt/firewall/unneeded_role.map.jinja

diff --git a/salt/firewall/assigned_hostgroups.local.map.yaml b/salt/firewall/assigned_hostgroups.local.map.yaml
index 3484e2db6..fcfb09d8c 100644
--- a/salt/firewall/assigned_hostgroups.local.map.yaml
+++ b/salt/firewall/assigned_hostgroups.local.map.yaml
@@ -6,16 +6,9 @@
 
 role:
   eval:
-    hostgroups:
-  helixsensor:
-    hostgroups:
+  helisensor:
   master:
-    hostgroups:
   mastersearch:
-    hostgroups:
   standalone:
-    hostgroups:
   searchnode:
-    hostgroups:
-  fleet:
-    hostgroups:
\ No newline at end of file
+  fleet:
\ No newline at end of file
diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index 319bda8e1..3cab69f69 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -3,286 +3,376 @@
 
 role:
   eval:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
   helixsensor:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
   master:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-            - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
   mastersearch:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
   standalone:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      master:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint }}
-          - {{ portgroups.playbook }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.navigator }}
-          - {{ portgroups.kibana }}
-          - {{ portgroups.redis }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.fleet_api }}
-          - {{ portgroups.cortex }}
-          - {{ portgroups.elasticsearch_rest }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.cortex_es_rest }}
-          - {{ portgroups.cortex_es_node }}
-      minion:
-        portgroups:
-          - {{ portgroups.acng }}
-          - {{ portgroups.salt_master }}
-          - {{ portgroups.docker_registry }}
-          - {{ portgroups.osquery_8080 }}
-          - {{ portgroups.influxdb }}
-          - {{ portgroups.wazuh_minion }}
-      sensor:
-        portgroups:
-          - {{ portgroups.sensoroni }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
-      search_node:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.elasticsearch_node }}
-      beats_endpoint:
-        portgroups:
-          - {{ portgroups.beats_5044 }}
-      osquery_endpoint:
-        portgroups:
-          - {{ portgroups.fleet_api }}
-      wazuh_endpoint:
-        portgroups:
-          - {{ portgroups.wazuh_endpoint  }}
-      analyst:
-        portgroups:
-          - {{ portgroups.nginx }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint }}
+              - {{ portgroups.playbook }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.navigator }}
+              - {{ portgroups.kibana }}
+              - {{ portgroups.redis }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.fleet_api }}
+              - {{ portgroups.cortex }}
+              - {{ portgroups.elasticsearch_rest }}
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.cortex_es_rest }}
+              - {{ portgroups.cortex_es_node }}
+          minion:
+            portgroups:
+              - {{ portgroups.acng }}
+              - {{ portgroups.docker_registry }}
+              - {{ portgroups.osquery_8080 }}
+              - {{ portgroups.influxdb }}
+              - {{ portgroups.wazuh_minion }}
+          sensor:
+            portgroups:
+              - {{ portgroups.sensoroni }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
+          search_node:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.elasticsearch_node }}
+          self:
+            portgroups:
+              - {{ portgroups.syslog}}
+          beats_endpoint:
+            portgroups:
+              - {{ portgroups.beats_5044 }}
+          osquery_endpoint:
+            portgroups:
+              - {{ portgroups.fleet_api }}
+          wazuh_endpoint:
+            portgroups:
+              - {{ portgroups.wazuh_endpoint  }}
+          analyst:
+            portgroups:
+              - {{ portgroups.nginx }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
+          minion:
+            portgroups:
+              - {{ portgroups.salt_master }}
+
   searchnode:
-    hostgroups:
-      master:
-        portgroups:
-          - {{ portgroups.elasticsearch_node }}
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-          - {{ portgroups.elasticsearch_node }}
-          - {{ portgroups.elasticsearch_node }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          master:
+            portgroups:
+              - {{ portgroups.elasticsearch_node }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.elasticsearch_node }}
+      INPUT:
+        hostgroups:
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
   sensor:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
+    chain:
+      INPUT:
+        hostgroups:
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
   heavynode:
-    hostgroups:
-      self:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.beats_5044 }}
-          - {{ portgroups.beats_5644 }}
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          self:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.beats_5044 }}
+              - {{ portgroups.beats_5644 }}
   fleet:
-    hostgroups:
-      dockernet:
-        portgroups:
-          - {{ portgroups.all }}
-      self:
-        portgroups:
-          - {{ portgroups.redis }}
-          - {{ portgroups.mysql }}
-          - {{ portgroups.osquery_8080 }}
-      localhost:
-        portgroups:
-          - {{ portgroups.mysql }}
-          - {{ portgroups.osquery_8080 }}
-      analyst:
-        portgroups:
-          - {{ portgroups.fleet_webui }}
\ No newline at end of file
+    chain:
+      DOCKER-USER:
+        hostgroups:
+          self:
+            portgroups:
+              - {{ portgroups.redis }}
+              - {{ portgroups.mysql }}
+              - {{ portgroups.osquery_8080 }}
+          localhost:
+            portgroups:
+              - {{ portgroups.mysql }}
+              - {{ portgroups.osquery_8080 }}
+          analyst:
+            portgroups:
+              - {{ portgroups.fleet_webui }}
+      INPUT:
+        hostgroups:
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
\ No newline at end of file
diff --git a/salt/firewall/hostgroups.local.yaml b/salt/firewall/hostgroups.local.yaml
index c8ae00303..f933dd7c4 100644
--- a/salt/firewall/hostgroups.local.yaml
+++ b/salt/firewall/hostgroups.local.yaml
@@ -4,7 +4,6 @@ firewall:
       ips:
         delete:
         insert:
-          - 10.11.1.1
     beats_endpoint:
       ips:
         delete:
@@ -44,5 +43,4 @@ firewall:
     wazuh_endpoint:
       ips:
         delete:
-        insert:
-       
\ No newline at end of file
+        insert:
\ No newline at end of file
diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml
index fe781a848..56fbf96bc 100644
--- a/salt/firewall/hostgroups.yaml
+++ b/salt/firewall/hostgroups.yaml
@@ -1,5 +1,10 @@
 firewall:
   hostgroups:
+    anywhere:
+      ips:
+        delete:
+        insert:
+          - 0.0.0.0/0
     dockernet:
       ips:
         delete:
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index de4f3bfe8..781feb495 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -136,30 +136,34 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
 
 {% endif %} 
 
-{% for hostgroup, portgroups in assigned_hostgroups.role[role].hostgroups.items() %}
-  {% for action in ['insert', 'delete' ] %}
-    {% if hostgroups[hostgroup].ips[action] %}
-      {% for ip in hostgroups[hostgroup].ips[action] %}
-        {% for portgroup in portgroups.portgroups %}
-          {% for proto, ports in portgroup.items() %}
-            {% for port in ports %}
+{% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
+  {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
+    {% for action in ['insert', 'delete' ] %}
+      {% if hostgroups[hostgroup].ips[action] %}
+        {% for ip in hostgroups[hostgroup].ips[action] %}
+          {% for portgroup in portgroups.portgroups %}
+            {% for proto, ports in portgroup.items() %}
+              {% for port in ports %}
 
-{{action}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
+{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
   iptables.{{action}}:
     - table: filter
-    - chain: DOCKER-USER
+    - chain: {{ chain }}
     - jump: ACCEPT
     - proto: {{ proto }}
     - source: {{ ip }}
     - dport: {{ port }}
+              {% if action == 'insert' %}
     - position: 1
+              {% endif %}
     - save: True
 
+              {% endfor %}
             {% endfor %}
           {% endfor %}
         {% endfor %}
-      {% endfor %}
-    {% endif %}
+      {% endif %}
+    {% endfor %}
   {% endfor %}
 {% endfor %}
 
diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml
index bb80aa7b8..e505dd3d0 100644
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -71,6 +71,12 @@ firewall:
       sensoroni:
         tcp:
           - 443
+      ssh:
+        tcp:
+          - 22
+      syslog:
+        tcp:
+          - 514
       wazuh_minion:
         tcp:
           - 55000
diff --git a/salt/firewall/unneeded_hostgroups.local.yaml b/salt/firewall/unneeded_hostgroups.local.yaml
deleted file mode 100644
index 45dd886b1..000000000
--- a/salt/firewall/unneeded_hostgroups.local.yaml
+++ /dev/null
@@ -1,115 +0,0 @@
-{% import_yaml 'firewall/port_groups.yaml' as default_port_groups %}
-{% set default_port_groups = default_port_groups.firewall.aliases.ports %}
-
-{% import_yaml 'firewall/port_groups.local.yaml' as local_port_groups %}
-{% set local_port_groups = local_port_groups.firewall.aliases.ports %}
-
-{% set port_groups = local_port_groups, default=default_port_groups, merge=True %}
-
-firewall:
-  aliases:
-    analyst:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.nginx }}
-    beats_endpoint:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.beats_5044 }}
-    dockernet:
-      ips:
-        delete:
-        allow:
-          - 172.17.0.0/24
-    fleet:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.mysql }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.osquery_8080 }}
-    heavy_node:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    localhost:
-      ips:
-        delete:
-        allow:
-          - 127.0.0.1
-    master:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
-        - {{ port_groups.playbook }}
-        - {{ port_groups.mysql }}
-        - {{ port_groups.navigator }}
-        - {{ port_groups.kibana }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.osquery_8090 }}
-        - {{ port_groups.cortex }}
-        - {{ port_groups.elasticsearch_rest }}
-        - {{ port_groups.elasticsearch_node }}
-        - {{ port_groups.cortex_es_rest }}
-        - {{ port_groups.cortex_es_node }}
-    minion:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.acng }}
-        - {{ port_groups.salt_master }}
-        - {{ port_groups.docker_registry }}
-        - {{ port_groups.osquery_8080 }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.wazuh_minion }}
-    node:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.elasticsearch_node }}
-    osquery_endpoint:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.osquery_8090 }}
-    search_node:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.elasticsearch_node }}
-    self:
-      ips:
-        delete:
-        allow:
-          - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('master:mainint', salt['pillar.get']('node:mainint'))))[0] }}
-    sensor:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.sensoroni }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    wazuh_endpoint:
-      ips:
-        delete:
-        allow:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
\ No newline at end of file
diff --git a/salt/firewall/unneeded_hostgroups.yaml b/salt/firewall/unneeded_hostgroups.yaml
deleted file mode 100644
index bdf7463e3..000000000
--- a/salt/firewall/unneeded_hostgroups.yaml
+++ /dev/null
@@ -1,95 +0,0 @@
-{% import_yaml 'firewall/port_groups.yaml' as port_groups %}
-{% set port_groups = port_groups.firewall.aliases.ports %}
-
-firewall:
-  aliases:
-    analyst:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.nginx }}
-    beats_endpoint:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.beats_5044 }}
-    fleet:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.mysql }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.osquery_8080 }}
-    heavy_node:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    master:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
-        - {{ port_groups.playbook }}
-        - {{ port_groups.mysql }}
-        - {{ port_groups.navigator }}
-        - {{ port_groups.kibana }}
-        - {{ port_groups.redis }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.osquery_8090 }}
-        - {{ port_groups.cortex }}
-        - {{ port_groups.elasticsearch_rest }}
-        - {{ port_groups.elasticsearch_node }}
-        - {{ port_groups.cortex_es_rest }}
-        - {{ port_groups.cortex_es_node }}
-    minion:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.acng }}
-        - {{ port_groups.salt_master }}
-        - {{ port_groups.docker_registry }}
-        - {{ port_groups.osquery_8080 }}
-        - {{ port_groups.influxdb }}
-        - {{ port_groups.wazuh_minion }}
-    node:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.elasticsearch_node }}
-    osquery_endpoint:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.osquery_8090 }}
-    search_node:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.redis }}
-        - {{ port_groups.elasticsearch_node }}
-    sensor:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.sensoroni }}
-        - {{ port_groups.beats_5044 }}
-        - {{ port_groups.beats_5644 }}
-    wazuh_endpoint:
-      ips:
-        delete:
-        insert:
-      port_groups:
-        - {{ port_groups.wazuh_endpoint }}
\ No newline at end of file
diff --git a/salt/firewall/unneeded_ports.yml b/salt/firewall/unneeded_ports.yml
deleted file mode 100644
index acca97343..000000000
--- a/salt/firewall/unneeded_ports.yml
+++ /dev/null
@@ -1,145 +0,0 @@
-firewall:
-  aliases:
-    analyst:
-      ports:
-        nginx:
-          tcp:
-            - 80
-            - 443
-    beats_endpoint:
-      ports:
-        beats:
-          tcp:
-            - 5044
-    fleet:
-      ports:
-        mysql:
-          tcp:
-            - 3306
-        redis:
-          tcp:
-            - 6379
-        osquery:
-          tcp:
-            - 8080
-    forward_nodes:
-      ports:
-        sensoroni:
-          tcp:
-            - 443
-        beats:
-          tcp:
-            - 5044
-        beats_so:
-          tcp:
-            - 5644
-    heavy_node:
-      ports:
-        redis:
-          tcp: 
-            - 6379
-        beats:
-            - 5044
-        beats2:
-            - 5644
-    master:
-      ports:
-        wazuh:
-          tcp:
-            - 1514
-          udp:
-            - 1514
-        playbook:
-          tcp:
-            - 3200
-        mysql:
-          tcp:
-            - 3306
-        navigator:
-          tcp:
-            - 4200
-        kibana:
-          tcp:
-            - 5601
-        redis:
-          tcp:
-            - 6379
-        influxdb:
-          tcp:
-            - 8086
-        osquery:
-          tcp:
-            - 8090
-        cortex:
-          tcp:
-            - 9001
-        elasticsearch_rest:
-          tcp:
-            - 9200
-        elasticsearch_node:
-          tcp:
-            - 9300
-        cortex_es_rest:
-          tcp:
-            - 9400
-        cortex_es_node:
-          tcp:
-            - 9500
-    minions:
-      ports:
-        acng:
-            - 3142
-        salt:
-          tcp:
-            - 4505
-            - 4506
-        registry:
-          tcp:
-            - 5000
-        osquery:
-          tcp:
-            - 8080
-        influxdb:
-          tcp:
-            - 8086
-        wazuh:
-          tcp:
-            - 55000
-    node:
-      ports:
-        elasticsearch_node:
-          tcp:
-            - 9300
-    osquery_endpoint:
-      ports:
-        fleet:
-          tcp:
-            - 8090
-    search_nodes:
-      ports:
-        redis:
-          tcp:
-            - 6379
-        elasticsearch_node:
-            - 9300
-    sensor:
-      ports:      
-    wazuh_endpoint:
-      ports:
-        wazuh:
-          tcp:
-            - 1514
-          udp:
-            - 1514
-
-        
-        
-          
-
-    
-        
-
-
-        
-        
-          
\ No newline at end of file
diff --git a/salt/firewall/unneeded_ports.yml.old b/salt/firewall/unneeded_ports.yml.old
deleted file mode 100644
index f318863c5..000000000
--- a/salt/firewall/unneeded_ports.yml.old
+++ /dev/null
@@ -1,63 +0,0 @@
-firewall:
-  aliases:
-    analyst:
-      ports:
-        tcp:
-          - 80
-          - 443
-        udp:
-    beats_endpoint:
-      ports:
-        tcp:
-          - 5044
-    forward_nodes:
-      ports:
-        tcp:
-          - 443
-          - 5044
-          - 5644
-          - 9822
-        udp:
-    master:
-      ports:
-        tcp:
-          - 1514
-          - 3200
-          - 3306
-          - 4200
-          - 5601
-          - 6379
-          - 8086
-          - 8090
-          - 9001
-          - 9200
-          - 9300
-          - 9400  
-          - 9500
-        udp:
-          - 1514
-    minions:
-      ports:
-        tcp:
-          - 3142
-          - 4505
-          - 4506
-          - 5000
-          - 8080
-          - 8086
-          - 55000      
-    osquery_endpoint:
-      ports:
-        tcp:
-          - 8090
-    search_nodes:
-      ports:
-        tcp:
-          - 6379
-          - 9300
-    wazuh_endpoint:
-      ports:
-        tcp:
-          - 1514
-        udp: 
-          -1514
diff --git a/salt/firewall/unneeded_role.map.jinja b/salt/firewall/unneeded_role.map.jinja
deleted file mode 100644
index f2858b509..000000000
--- a/salt/firewall/unneeded_role.map.jinja
+++ /dev/null
@@ -1,288 +0,0 @@
-{% import_yaml 'firewall/port_groups.yaml' as port_groups %}
-{% set port_groups = port_groups.firewall.aliases.ports %}
-
-role:
-  eval:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  helisensor:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  master:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-            - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  mastersearch:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  standalone:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      master:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint }}
-          - {{ port_groups.playbook }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.navigator }}
-          - {{ port_groups.kibana }}
-          - {{ port_groups.redis }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.fleet_api }}
-          - {{ port_groups.cortex }}
-          - {{ port_groups.elasticsearch_rest }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.cortex_es_rest }}
-          - {{ port_groups.cortex_es_node }}
-      minion:
-        port_groups:
-          - {{ port_groups.acng }}
-          - {{ port_groups.salt_master }}
-          - {{ port_groups.docker_registry }}
-          - {{ port_groups.osquery_8080 }}
-          - {{ port_groups.influxdb }}
-          - {{ port_groups.wazuh_minion }}
-      sensor:
-        port_groups:
-          - {{ port_groups.sensoroni }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-      search_node:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.elasticsearch_node }}
-      beats_endpoint:
-        port_groups:
-          - {{ port_groups.beats_5044 }}
-      osquery_endpoint:
-        port_groups:
-          - {{ port_groups.fleet_api }}
-      wazuh_endpoint:
-        port_groups:
-          - {{ port_groups.wazuh_endpoint  }}
-      analyst:
-        port_groups:
-          - {{ port_groups.nginx }}
-  searchnode:
-    hostgroups:
-      master:
-        port_groups:
-          - {{ port_groups.elasticsearch_node }}
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-          - {{ port_groups.elasticsearch_node }}
-          - {{ port_groups.elasticsearch_node }}
-  sensor:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-  heavynode:
-    hostgroups:
-      self:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.beats_5044 }}
-          - {{ port_groups.beats_5644 }}
-  fleet:
-    hostgroups:
-      dockernet:
-        port_groups:
-          - {{ port_groups.all }}
-      self:
-        port_groups:
-          - {{ port_groups.redis }}
-          - {{ port_groups.mysql }}
-          - {{ port_groups.osquery_8080 }}
-      localhost:
-        port_groups:
-          - {{ port_groups.mysql }}
-          - {{ port_groups.osquery_8080 }}
-      analyst:
-        port_groups:
-          - {{ port_groups.fleet_webui }}
\ No newline at end of file

From 15fd4de669498a5198c388913e89d1e831ecc254 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Tue, 9 Jun 2020 13:44:10 -0400
Subject: [PATCH 09/22] remove yamlized rules, update assigned hostgroups -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 salt/firewall/assigned_hostgroups.map.yaml | 26 +++++++++++
 salt/firewall/init.sls                     | 51 ----------------------
 2 files changed, 26 insertions(+), 51 deletions(-)

diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index 3cab69f69..a564942e1 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -336,16 +336,28 @@ role:
               - {{ portgroups.elasticsearch_node }}
       INPUT:
         hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
           dockernet:
             portgroups:
               - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
   sensor:
     chain:
       INPUT:
         hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
           dockernet:
             portgroups:
               - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
   heavynode:
     chain:
       DOCKER-USER:
@@ -355,6 +367,14 @@ role:
               - {{ portgroups.redis }}
               - {{ portgroups.beats_5044 }}
               - {{ portgroups.beats_5644 }}
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}
   fleet:
     chain:
       DOCKER-USER:
@@ -373,6 +393,12 @@ role:
               - {{ portgroups.fleet_webui }}
       INPUT:
         hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
           dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
             portgroups:
               - {{ portgroups.all }}
\ No newline at end of file
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 781feb495..12e6366a7 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,17 +1,4 @@
 # Firewall Magic for the grid
-{% if grains['role'] in ['so-eval','so-master','so-helix','so-mastersearch', 'so-standalone'] %}
-  {% set ip = salt['pillar.get']('static:masterip', '') %}
-{% elif grains['role'] == 'so-node' or grains['role'] == 'so-heavynode' %}
-  {% set ip = salt['pillar.get']('node:mainip', '') %}
-{% elif grains['role'] == 'so-sensor' %}
-  {% set ip = salt['pillar.get']('sensor:mainip', '') %}
-{% elif grains['role'] == 'so-fleet' %}
-  {% set ip = salt['pillar.get']('node:mainip', '') %}
-{% endif %}
-
-{% set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
-{% set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %}
-
 {% from 'firewall/map.jinja' import hostgroups with context %}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context %}
 {% set role = grains.id.split('_') | last %}
@@ -31,15 +18,6 @@ iptables_fix_fwd:
     - position: 1
     - target: DOCKER-USER
 
-# Keep localhost in the game
-iptables_allow_localhost:
-  iptables.append:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - source: 127.0.0.1
-    - save: True
-
 # Allow related/established sessions
 iptables_allow_established:
   iptables.append:
@@ -50,16 +28,6 @@ iptables_allow_established:
     - ctstate: 'RELATED,ESTABLISHED'
     - save: True
 
-# Always allow SSH so we can like log in
-iptables_allow_ssh:
-  iptables.append:
-    - table: filter
-    - chain: INPUT
-    - jump: ACCEPT
-    - dport: 22
-    - proto: tcp
-    - save: True
-
 # I like pings
 iptables_allow_pings:
   iptables.append:
@@ -117,25 +85,6 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
-# Rules if you are a Master
-{% if grains['role'] in ['so-master', 'so-eval', 'so-helix', 'so-mastersearch', 'so-standalone'] %}
-
-# Allow Fleet Node to send its beats traffic
-{% if FLEET_NODE %}
-enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
-  iptables.insert:
-    - table: filter
-    - chain: DOCKER-USER
-    - jump: ACCEPT
-    - proto: tcp
-    - source: {{ FLEET_NODE_IP }}
-    - dport: 5644
-    - position: 1
-    - save: True
-{% endif %}
-
-{% endif %} 
-
 {% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
   {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
     {% for action in ['insert', 'delete' ] %}

From c07290571790ed0865d43b280073f23000e4d920 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 01:18:39 -0400
Subject: [PATCH 10/22] Initial firewall management script

---
 salt/common/tools/sbin/so-firewall | 129 +++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)
 create mode 100755 salt/common/tools/sbin/so-firewall

diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall
new file mode 100755
index 000000000..56b07e2f2
--- /dev/null
+++ b/salt/common/tools/sbin/so-firewall
@@ -0,0 +1,129 @@
+#!/usr/bin/env python3
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import yaml
+
+hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
+
+def showUsage(args):
+  print('Usage: {} <COMMAND> [ARGS...]'.format(sys.argv[0]))
+  print('  Available commands:');
+  print('   help     - Prints this usage information.');
+  print('   included - Lists the IPs included in the given hostgroup. Args: <hostgroup>');
+  print('   excluded - Lists the IPs excluded from the given hostgroup. Args: <hostgroup>');
+  print('   include  - Adds the given IP (or CIDR) to the given hostgroup. Args: <hostgroup> <ip/CIDR>');
+  print('   exclude  - Removes the given IP (or CIDR) from the given hostgroup. Args: <hostgroup> <ip/CIDR>');
+  print('   addgroup - Adds a new hostgroup. Args: <hostgroup>');
+  sys.exit(1)
+
+def loadYaml(filename):
+  file = open(filename, "r")
+  return yaml.load(file.read())
+
+def writeYaml(filename, content):
+  file = open(filename, "w")
+  return yaml.dump(content, file)
+
+def listIps(name, mode):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Hostgroup does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is not None:
+    for ip in ips:
+      print(ip)
+  return 0
+
+def addIp(name, ip, mode):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Hostgroup does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is None:
+    ips = []
+    hostgroup['ips'][mode] = ips
+  if ip not in ips:
+    ips.append(ip)
+  else:
+    print('Already exists', file=sys.stderr)
+    return 3
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def addgroup(args):
+  if len(args) != 1:
+    print('Missing hostgroup name argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  content = loadYaml(hostgroupsFilename)
+  if name in content['firewall']['hostgroups']:
+    print('Already exists', file=sys.stderr)
+    return 3
+  content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }}
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def included(args):
+  if len(args) != 1:
+    print('Missing hostgroup name argument', file=sys.stderr)
+    showUsage(args)
+  return listIps(args[0], 'insert')
+
+def excluded(args):
+  if len(args) != 1:
+    print('Missing hostgroup name argument', file=sys.stderr)
+    showUsage(args)
+  return listIps(args[0], 'delete')
+
+def include(args):
+  if len(args) != 2:
+    print('Missing hostgroup name or ip argument', file=sys.stderr)
+    showUsage(args)
+  return addIp(args[0], args[1], 'insert')
+
+def exclude(args):
+  if len(args) != 2:
+    print('Missing hostgroup name or ip argument', file=sys.stderr)
+    showUsage(args)
+  return addIp(args[0], args[1], 'delete')
+
+def main():
+  args = sys.argv[1:]
+  if len(args) == 0:
+    showUsage(None)
+
+  commands = {
+    "help": showUsage,
+    "included": included,
+    "excluded": excluded,
+    "include": include,
+    "exclude": exclude,
+    "addgroup": addgroup
+  }
+  
+  cmd = commands.get(args[0], showUsage)
+  code = cmd(args[1:])
+  sys.exit(code)
+
+if __name__ == "__main__":
+  main()

From f89baff3d7a143fa6ef3c9e434465bc62e2c1fce Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 14:05:19 -0400
Subject: [PATCH 11/22] adding ability to assign hostgroup to single minion -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 .../assigned_hostgroups.local.map.yaml        |  0
 .../firewall/hostgroups.local.yaml            |  1 +
 .../firewall/portgroups.local.yaml            |  0
 salt/firewall/init.sls                        |  5 ++--
 salt/firewall/map.jinja                       | 26 ++++++++++++++++++-
 5 files changed, 28 insertions(+), 4 deletions(-)
 rename {salt => files}/firewall/assigned_hostgroups.local.map.yaml (100%)
 rename {salt => files}/firewall/hostgroups.local.yaml (94%)
 rename {salt => files}/firewall/portgroups.local.yaml (100%)

diff --git a/salt/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml
similarity index 100%
rename from salt/firewall/assigned_hostgroups.local.map.yaml
rename to files/firewall/assigned_hostgroups.local.map.yaml
diff --git a/salt/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
similarity index 94%
rename from salt/firewall/hostgroups.local.yaml
rename to files/firewall/hostgroups.local.yaml
index f933dd7c4..dad7200c6 100644
--- a/salt/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -20,6 +20,7 @@ firewall:
       ips:
         delete:
         insert:
+          - 10.10.10.10
     minion:
       ips:
         delete:
diff --git a/salt/firewall/portgroups.local.yaml b/files/firewall/portgroups.local.yaml
similarity index 100%
rename from salt/firewall/portgroups.local.yaml
rename to files/firewall/portgroups.local.yaml
diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 12e6366a7..83949349f 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,7 +1,6 @@
 # Firewall Magic for the grid
 {% from 'firewall/map.jinja' import hostgroups with context %}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context %}
-{% set role = grains.id.split('_') | last %}
 
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
@@ -85,8 +84,8 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
-{% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
-  {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
+{% for chain, hg in assigned_hostgroups.chain.items() %}
+  {% for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
     {% for action in ['insert', 'delete' ] %}
       {% if hostgroups[hostgroup].ips[action] %}
         {% for ip in hostgroups[hostgroup].ips[action] %}
diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
index 32669692f..0f1b3c05b 100644
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,7 +1,31 @@
+{% set role = grains.id.split('_') | last %}
+
+{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
+{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
+{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
+{% set defined_portgroups = portgroups %}
+
 {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
 {% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
 {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
 
+{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
+{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
+  {% set translated_pillar_assigned_hostgroups = {} %}
+  {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
+    {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
+      {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %}
+      {% for pillar_portgroup in pillar_portgroups.portgroups %}
+        {% set pillar_portgroup = pillar_portgroup.split('.') | last %}
+        {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
+      {% endfor %}
+    {% endfor %}
+  {% endfor %}
+{% endif %}
+
 {% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
 {% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
-{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups, default_assigned_hostgroups, merge_lists=True, in_place=False) %}
\ No newline at end of file
+{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=True, in_place=False) %}
+{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
\ No newline at end of file

From fcb26bdaed9740bd07cf7f189460939fc63b4863 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 15:03:34 -0400
Subject: [PATCH 12/22] change how ips are added during setup -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 pillar/top.sls     | 1 -
 setup/so-functions | 7 ++++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pillar/top.sls b/pillar/top.sls
index 6569209ef..b0576c6eb 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -44,7 +44,6 @@ base:
     - logstash
     - logstash.master
     - logstash.search
-    - firewall.*
     - data.*
     - brologs
     - secrets
diff --git a/setup/so-functions b/setup/so-functions
index 16b7ef9a0..6dd0f5793 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1382,11 +1382,16 @@ set_initial_firewall_policy() {
 			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls
 			$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 			;;
-		'EVAL' | 'MASTERSEARCH')
+		'EVAL' | 'MASTERSEARCH' | 'STANDALONE')
 			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\
 				$local_salt_dir/pillar/firewall/masterfw.sls\
 				$local_salt_dir/pillar/firewall/forward_nodes.sls\
 				$local_salt_dir/pillar/firewall/search_nodes.sls
+				$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
+                $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
+                $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
+				salt-call -l info  state.apply firewall >> $setup_log 2>&1
+			
 			case "$install_type" in 
 				'EVAL')
 					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True

From 23be399a680c5d9c7f06755c9ad857e0ca2bdb22 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 15:16:32 -0400
Subject: [PATCH 13/22] Ensure host doesn't exist in both include and exclude
 lists; add support for port management; add support for removing host from
 exclude list

---
 salt/common/tools/sbin/so-firewall | 211 +++++++++++++++++++++++++----
 1 file changed, 184 insertions(+), 27 deletions(-)

diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall
index 56b07e2f2..d87fd847e 100755
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -19,16 +19,29 @@ import sys
 import yaml
 
 hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
+portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
+supportedProtocols = ['tcp', 'udp']
 
 def showUsage(args):
   print('Usage: {} <COMMAND> [ARGS...]'.format(sys.argv[0]))
-  print('  Available commands:');
-  print('   help     - Prints this usage information.');
-  print('   included - Lists the IPs included in the given hostgroup. Args: <hostgroup>');
-  print('   excluded - Lists the IPs excluded from the given hostgroup. Args: <hostgroup>');
-  print('   include  - Adds the given IP (or CIDR) to the given hostgroup. Args: <hostgroup> <ip/CIDR>');
-  print('   exclude  - Removes the given IP (or CIDR) from the given hostgroup. Args: <hostgroup> <ip/CIDR>');
-  print('   addgroup - Adds a new hostgroup. Args: <hostgroup>');
+  print('  Available commands:')
+  print('   help          - Prints this usage information.')
+  print('   includedhosts - Lists the IPs included in the given group. Args: <GROUP_NAME>')
+  print('   excludedhosts - Lists the IPs excluded from the given group. Args: <GROUP_NAME>')
+  print('   includehost   - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
+  print('   excludehost   - Excludes the given IP from the given group. Args: <GROUP_NAME> <IP>')
+  print('   removehost    - Removes an excluded IP from the given group. Args: <GROUP_NAME> <IP>')
+  print('   addhostgroup  - Adds a new, custom host group. Args: <GROUP_NAME>')
+  print('   listports     - Lists ports in the given group and protocol. Args: <GROUP_NAME> <PORT_PROTOCOL>')
+  print('   addport       - Adds a PORT to the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
+  print('   removeport    - Removes a PORT from the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
+  print('   addportgroup  - Adds a new, custom port group. Args: <GROUP_NAME>')
+  print('')
+  print('  Where:')
+  print('   GROUP_NAME    - The name of an alias group (Ex: analyst)')
+  print('   IP            - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
+  print('   PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols))
+  print('   PORT          - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).')
   sys.exit(1)
 
 def loadYaml(filename):
@@ -42,7 +55,7 @@ def writeYaml(filename, content):
 def listIps(name, mode):
   content = loadYaml(hostgroupsFilename)
   if name not in content['firewall']['hostgroups']:
-    print('Hostgroup does not exist', file=sys.stderr)
+    print('Host group does not exist', file=sys.stderr)
     return 4
   hostgroup = content['firewall']['hostgroups'][name]
   ips = hostgroup['ips'][mode]
@@ -54,7 +67,7 @@ def listIps(name, mode):
 def addIp(name, ip, mode):
   content = loadYaml(hostgroupsFilename)
   if name not in content['firewall']['hostgroups']:
-    print('Hostgroup does not exist', file=sys.stderr)
+    print('Host group does not exist', file=sys.stderr)
     return 4
   hostgroup = content['firewall']['hostgroups'][name]
   ips = hostgroup['ips'][mode]
@@ -69,12 +82,37 @@ def addIp(name, ip, mode):
   writeYaml(hostgroupsFilename, content)
   return 0
 
-def addgroup(args):
+def removeIp(name, ip, mode, silence = False):
+  content = loadYaml(hostgroupsFilename)
+  if name not in content['firewall']['hostgroups']:
+    print('Host group does not exist', file=sys.stderr)
+    return 4
+  hostgroup = content['firewall']['hostgroups'][name]
+  ips = hostgroup['ips'][mode]
+  if ips is None:
+    ips = []
+    hostgroup['ips'][mode] = ips
+  if ip in ips:
+    ips.remove(ip)
+  else:
+    if not silence:
+      print('IP does not exist', file=sys.stderr)
+      return 3
+  writeYaml(hostgroupsFilename, content)
+  return 0
+
+def createProtocolMap():
+  map = {}
+  for protocol in supportedProtocols:
+    map[protocol] = []
+  return map
+
+def addhostgroup(args):
   if len(args) != 1:
-    print('Missing hostgroup name argument', file=sys.stderr)
+    print('Missing host group name argument', file=sys.stderr)
     showUsage(args)
 
-  name = args[0]
+  name = args[1]
   content = loadYaml(hostgroupsFilename)
   if name in content['firewall']['hostgroups']:
     print('Already exists', file=sys.stderr)
@@ -83,29 +121,143 @@ def addgroup(args):
   writeYaml(hostgroupsFilename, content)
   return 0
 
-def included(args):
+def addportgroup(args):
   if len(args) != 1:
-    print('Missing hostgroup name argument', file=sys.stderr)
+    print('Missing port group name argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name in ports:
+    print('Already exists', file=sys.stderr)
+    return 3
+  ports[name] = createProtocolMap()
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def listports(args):
+  if len(args) != 2:
+    print('Missing port group name or port protocol', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is not None:
+    for port in ports:
+      print(port)
+  return 0
+
+def addport(args):
+  if len(args) != 3:
+    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  port = args[2]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is None:
+    ports = []
+    content['firewall']['aliases']['ports'][name][protocol] = ports
+  if port in ports:
+    print('Already exists', file=sys.stderr)
+    return 3
+  ports.append(port)
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def removeport(args):
+  if len(args) != 3:
+    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
+    showUsage(args)
+
+  name = args[0]
+  protocol = args[1]
+  port = args[2]
+  if protocol not in supportedProtocols:
+    print('Port protocol is not supported', file=sys.stderr)
+    return 5
+
+  content = loadYaml(portgroupsFilename)
+  ports = content['firewall']['aliases']['ports']
+  if ports is None:
+    ports = {}
+    content['firewall']['aliases']['ports'] = ports
+  if name not in ports:
+    print('Port group does not exist', file=sys.stderr)
+    return 3
+  ports = ports[name][protocol]
+  if ports is None or port not in ports:
+    print('Port does not exist', file=sys.stderr)
+    return 3
+  ports.remove(port)
+  writeYaml(portgroupsFilename, content)
+  return 0
+
+def includedhosts(args):
+  if len(args) != 1:
+    print('Missing host group name argument', file=sys.stderr)
     showUsage(args)
   return listIps(args[0], 'insert')
 
-def excluded(args):
+def excludedhosts(args):
   if len(args) != 1:
-    print('Missing hostgroup name argument', file=sys.stderr)
+    print('Missing host group name argument', file=sys.stderr)
     showUsage(args)
   return listIps(args[0], 'delete')
 
-def include(args):
+def includehost(args):
   if len(args) != 2:
-    print('Missing hostgroup name or ip argument', file=sys.stderr)
+    print('Missing host group name or ip argument', file=sys.stderr)
     showUsage(args)
-  return addIp(args[0], args[1], 'insert')
+  result = addIp(args[0], args[1], 'insert')
+  if result == 0:
+    removeIp(args[0], args[1], 'delete', True)
+  return result
 
-def exclude(args):
+def excludehost(args):
   if len(args) != 2:
-    print('Missing hostgroup name or ip argument', file=sys.stderr)
+    print('Missing host group name or ip argument', file=sys.stderr)
     showUsage(args)
-  return addIp(args[0], args[1], 'delete')
+  result = addIp(args[0], args[1], 'delete')
+  if result == 0:
+    removeIp(args[0], args[1], 'insert', True)
+  return result
+
+def removehost(args):
+  if len(args) != 2:
+    print('Missing host group name or ip argument', file=sys.stderr)
+    showUsage(args)
+  return removeIp(args[0], args[1], 'delete')
 
 def main():
   args = sys.argv[1:]
@@ -114,11 +266,16 @@ def main():
 
   commands = {
     "help": showUsage,
-    "included": included,
-    "excluded": excluded,
-    "include": include,
-    "exclude": exclude,
-    "addgroup": addgroup
+    "includedhosts": includedhosts,
+    "excludedhosts": excludedhosts,
+    "includehost": includehost,
+    "excludehost": excludehost,
+    "removehost": removehost,
+    "listports": listports,
+    "addport": addport,
+    "removeport": removeport,
+    "addhostgroup": addhostgroup,
+    "addportgroup": addportgroup
   }
   
   cmd = commands.get(args[0], showUsage)

From 7c5343ebe1e386e2ec04f41528d13a334e087e50 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 15:35:15 -0400
Subject: [PATCH 14/22] copy local firewall yaml files during setup -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 setup/so-functions | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index 6dd0f5793..bb226a5fb 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -745,22 +745,11 @@ fireeye_pillar() {
 # Generate Firewall Templates
 firewall_generate_templates() {
 
-	local firewall_pillar_path=$local_salt_dir/pillar/firewall
+	local firewall_pillar_path=$local_salt_dir/salt/firewall
 	mkdir -p "$firewall_pillar_path"
+   
+    cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1
 
-	for i in analyst beats_endpoint forward_nodes master minions osquery_endpoint search_nodes wazuh_endpoint
-	do
-	  printf '%s\n'\
-	  "firewall:"\
-	  "  alias:"\
-	  "    $i:"\
-	  "      ips:" \
-	  "        delete:"\
-	  "        allow:"\
-	  "          - 127.0.0.1"\
-	  "" > "$firewall_pillar_path"/$i.sls
-	  echo "Added $i Template"
-	done
 }
 
 fleet_pillar() {

From 119ce2d93f6b510e9a0eeef25580db72508b2171 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 15:37:18 -0400
Subject: [PATCH 15/22] remove from writing to firewall pillar -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 setup/so-functions | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index bb226a5fb..21908b684 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1372,10 +1372,6 @@ set_initial_firewall_policy() {
 			$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 			;;
 		'EVAL' | 'MASTERSEARCH' | 'STANDALONE')
-			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\
-				$local_salt_dir/pillar/firewall/masterfw.sls\
-				$local_salt_dir/pillar/firewall/forward_nodes.sls\
-				$local_salt_dir/pillar/firewall/search_nodes.sls
 				$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
                 $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
                 $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"

From f92ad7d6711413b2efc4d8d419567281c47d5bf0 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 16:34:37 -0400
Subject: [PATCH 16/22] handle undefined local values -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 .../assigned_hostgroups.local.map.yaml        |  6 ++++-
 files/firewall/hostgroups.local.yaml          |  1 -
 salt/firewall/map.jinja                       | 22 +++++++++++++++----
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml
index fcfb09d8c..a942252a7 100644
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -1,7 +1,11 @@
 {% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
 {% set default_portgroups = default_portgroups.firewall.aliases.ports %}
 {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
-{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% if local_portgroups.firewall.aliases.ports %}
+  {% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% else %}
+  {% set local_portgroups = {} %}
+{% endif %}
 {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
 
 role:
diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
index dad7200c6..f933dd7c4 100644
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -20,7 +20,6 @@ firewall:
       ips:
         delete:
         insert:
-          - 10.10.10.10
     minion:
       ips:
         delete:
diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja
index 0f1b3c05b..2df668a07 100644
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,9 +1,14 @@
 {% set role = grains.id.split('_') | last %}
+{% set translated_pillar_assigned_hostgroups = {} %}
 
 {% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
 {% set default_portgroups = default_portgroups.firewall.aliases.ports %}
 {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
-{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% if local_portgroups.firewall.aliases.ports %}
+  {% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% else %}
+  {% set local_portgroups = {} %}
+{% endif %}
 {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
 {% set defined_portgroups = portgroups %}
 
@@ -13,13 +18,14 @@
 
 {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
 {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
-  {% set translated_pillar_assigned_hostgroups = {} %}
+
   {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
     {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
       {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %}
       {% for pillar_portgroup in pillar_portgroups.portgroups %}
         {% set pillar_portgroup = pillar_portgroup.split('.') | last %}
         {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
+
       {% endfor %}
     {% endfor %}
   {% endfor %}
@@ -27,5 +33,13 @@
 
 {% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
 {% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
-{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=True, in_place=False) %}
-{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
\ No newline at end of file
+{% if local_assigned_hostgroups.role[role] %}
+  {% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=False, in_place=False) %}
+{% else %}
+  {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %}
+{% endif %}
+
+
+{% if translated_pillar_assigned_hostgroups %}
+  {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}
+{% endif %}
\ No newline at end of file

From 03c43da6f27c087a00f7e665884a638cf4a0f3cc Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 17:19:03 -0400
Subject: [PATCH 17/22] create iptables file if it doesnt exist -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 salt/firewall/init.sls | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 83949349f..2d14ae4b5 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -2,6 +2,11 @@
 {% from 'firewall/map.jinja' import hostgroups with context %}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context %}
 
+create_sysconfig_iptables:
+  file.touch:
+    - name: /etc/sysconfig/iptables
+    - unless: 'ls /etc/sysconfig/iptables'
+
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
   iptables.chain_present:

From 5317ee8b5af6676d907d80f4b36648be66b6bc5c Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 10 Jun 2020 17:41:22 -0400
Subject: [PATCH 18/22] add localhost to the same hostgroups as in currently in
 dev -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 setup/so-functions | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/setup/so-functions b/setup/so-functions
index 21908b684..4f792eefa 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -750,6 +750,10 @@ firewall_generate_templates() {
    
     cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1
 
+    for i in analyst beats_endpoint sensor master minion osquery_endpoint search_node wazuh_endpoint; do
+	  $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1
+	done
+
 }
 
 fleet_pillar() {

From 9466cc5439c8c254ed5fb27ebf89b70389528215 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 11 Jun 2020 08:49:52 -0400
Subject: [PATCH 19/22] remove firewall pillar from top, add roles to hosts
 during setup -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 pillar/top.sls     |  8 --------
 setup/so-functions | 33 +++++++++++++++++----------------
 2 files changed, 17 insertions(+), 24 deletions(-)

diff --git a/pillar/top.sls b/pillar/top.sls
index b0576c6eb..a691cf028 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -14,7 +14,6 @@ base:
 
   '*_sensor':
     - static
-    - firewall.*
     - brologs
     - healthcheck.sensor
     - minions.{{ grains.id }}
@@ -22,7 +21,6 @@ base:
   '*_master or *_mastersearch':
     - match: compound
     - static
-    - firewall.*
     - data.*
     - secrets
     - minions.{{ grains.id }}
@@ -33,7 +31,6 @@ base:
 
   '*_eval':
     - static
-    - firewall.*
     - data.*
     - brologs
     - secrets
@@ -53,18 +50,15 @@ base:
 
   '*_node':
     - static
-    - firewall.*
     - minions.{{ grains.id }}
 
   '*_heavynode':
     - static
-    - firewall.*
     - brologs
     - minions.{{ grains.id }}
 
   '*_helix':
     - static
-    - firewall.*
     - fireeye
     - brologs
     - logstash
@@ -73,14 +67,12 @@ base:
 
   '*_fleet':
     - static
-    - firewall.*
     - data.*
     - secrets
     - minions.{{ grains.id }}
 
   '*_searchnode':
     - static
-    - firewall.*
     - logstash
     - logstash.search
     - minions.{{ grains.id }}
diff --git a/setup/so-functions b/setup/so-functions
index 4f792eefa..99cb92404 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1368,19 +1368,20 @@ set_initial_firewall_policy() {
   set_main_ip
 
   if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi
-  if [ -f $default_salt_dir/pillar/firewall/addfirewall.sh ]; then chmod +x $default_salt_dir/pillar/firewall/addfirewall.sh; fi
+  if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi
 
 	case "$install_type" in
 		'MASTER')
-			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
 			$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 			;;
 		'EVAL' | 'MASTERSEARCH' | 'STANDALONE')
-				$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
-                $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
-                $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
-				salt-call -l info  state.apply firewall >> $setup_log 2>&1
-			
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
+            $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
+            $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
+		
 			case "$install_type" in 
 				'EVAL')
 					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True
@@ -1391,24 +1392,24 @@ set_initial_firewall_policy() {
 			esac
 			;;
 		'HELIXSENSOR')
-			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\
-				$local_salt_dir/pillar/firewall/masterfw.sls\
-				$local_salt_dir/pillar/firewall/forward_nodes.sls
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
+			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
+            $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
 			;;
 		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
-			ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh minions "$MAINIP"
+			ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
 			case "$install_type" in
 				'SENSOR')
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
 					;;
 				'SEARCHNODE')
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 				'HEAVYNODE')
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
-					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
@@ -1488,7 +1489,7 @@ update_sudoers() {
 	if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
 		# Update Sudoers so that soremote can accept keys without a password
 		echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
-		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
+		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/common/tools/sbin/so-firewall" | tee -a /etc/sudoers
 		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers
 		echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers
 	else

From 55e597d302abfcaae61ddb09239e9c0404ca405a Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 11 Jun 2020 09:45:31 -0400
Subject: [PATCH 20/22] run firewall state after adding ips during setup -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

---
 setup/so-functions | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/setup/so-functions b/setup/so-functions
index 99cb92404..4aa45926f 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1374,6 +1374,7 @@ set_initial_firewall_policy() {
 		'MASTER')
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
+			salt-call state.apply -l info firewall >> $setup_log 2>&1
 			$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 			;;
 		'EVAL' | 'MASTERSEARCH' | 'STANDALONE')
@@ -1381,7 +1382,7 @@ set_initial_firewall_policy() {
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
             $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
             $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
-		
+		    salt-call state.apply -l info firewall >> $setup_log 2>&1
 			case "$install_type" in 
 				'EVAL')
 					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True
@@ -1395,21 +1396,25 @@ set_initial_firewall_policy() {
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost master "$MAINIP"
 			$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
             $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
+			salt-call state.apply -l info firewall >> $setup_log 2>&1
 			;;
 		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
 			ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
 			case "$install_type" in
 				'SENSOR')
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-call state.apply -l info firewall
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
 					;;
 				'SEARCHNODE')
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-call state.apply -l info firewall
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;
 				'HEAVYNODE')
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost search_node "$MAINIP"
+					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-call state.apply -l info firewall
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
 					ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 					;;

From 16592fcc1e5d842df2010a455cc8f23e3a8ade7b Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Thu, 11 Jun 2020 12:55:30 -0400
Subject: [PATCH 21/22] makedirs if it doesn't exist

---
 salt/firewall/init.sls | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 2d14ae4b5..7d4dab0bf 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -5,6 +5,7 @@
 create_sysconfig_iptables:
   file.touch:
     - name: /etc/sysconfig/iptables
+    - makedirs: True
     - unless: 'ls /etc/sysconfig/iptables'
 
 # Quick Fix for Docker being difficult

From a37faff85010882183bd639fbf2d8a1f98eb6c2d Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 11 Jun 2020 13:03:21 -0400
Subject: [PATCH 22/22] New so-allow

---
 salt/common/tools/sbin/so-allow | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow
index 9be770bed..b7a32400f 100755
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -83,7 +83,8 @@ if [ "$SKIP" -eq 0 ]; then
 fi
 
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
-$default_salt_dir/pillar/firewall/addfirewall.sh $FULLROLE $IP
+/usr/sbin/so-firewall includehost $FULLROLE $IP
+salt-call state.apply firewall queue=True
 
 # Check if Wazuh enabled
 if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then