Rebuilding firewall rules

.gitignore

@@ -0,0 +1,2 @@
+.kitchen
+.bundle

Gemfile

@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+group :kitchen do
+    gem 'test-kitchen'
+    gem 'kitchen-docker'
+    gem 'kitchen-inspec'
+    gem 'kitchen-salt'
+end
+
+group :develop do
+    gem 'kitchen-vagrant'
+end
+
+group :formula do
+    # Put any dependencies needed by the formula tests here.
+end
+

Gemfile.lock

@@ -0,0 +1,535 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.4.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.337.0)
+    aws-sdk-apigateway (1.47.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-apigatewayv2 (1.23.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-athena (1.29.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-autoscaling (1.22.0)
+      aws-sdk-core (~> 3, >= 3.52.1)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-budgets (1.32.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudformation (1.40.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudfront (1.32.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudhsm (1.24.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudhsmv2 (1.25.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudtrail (1.25.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudwatch (1.40.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudwatchlogs (1.33.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-codecommit (1.36.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-codedeploy (1.33.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-codepipeline (1.33.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-configservice (1.47.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-core (3.102.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.239.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sdk-costandusagereportservice (1.23.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-dynamodb (1.50.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-ec2 (1.172.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-ecr (1.32.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-ecs (1.66.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-efs (1.31.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-eks (1.39.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-elasticache (1.39.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-elasticbeanstalk (1.33.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-elasticloadbalancing (1.24.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-elasticloadbalancingv2 (1.46.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-elasticsearchservice (1.38.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-firehose (1.30.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-iam (1.42.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-kafka (1.23.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-kinesis (1.25.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-kms (1.35.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-lambda (1.45.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-organizations (1.17.0)
+      aws-sdk-core (~> 3, >= 3.39.0)
+      aws-sigv4 (~> 1.0)
+    aws-sdk-rds (1.89.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-redshift (1.45.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-route53 (1.39.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-route53domains (1.24.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-route53resolver (1.16.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.72.0)
+      aws-sdk-core (~> 3, >= 3.102.1)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-securityhub (1.28.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-ses (1.32.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-sms (1.22.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-sns (1.26.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-sqs (1.29.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-ssm (1.83.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.2.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+    azure_graph_rbac (0.17.2)
+      ms_rest_azure (~> 0.12.0)
+    azure_mgmt_key_vault (0.17.6)
+      ms_rest_azure (~> 0.12.0)
+    azure_mgmt_resources (0.17.9)
+      ms_rest_azure (~> 0.12.0)
+    azure_mgmt_security (0.18.2)
+      ms_rest_azure (~> 0.12.0)
+    azure_mgmt_storage (0.21.1)
+      ms_rest_azure (~> 0.12.0)
+    bcrypt_pbkdf (1.0.1)
+    builder (3.2.4)
+    chef-config (16.2.50)
+      addressable
+      chef-utils (= 16.2.50)
+      fuzzyurl
+      mixlib-config (>= 2.2.12, < 4.0)
+      mixlib-shellout (>= 2.0, < 4.0)
+      tomlrb (~> 1.2)
+    chef-telemetry (1.0.8)
+      chef-config
+      concurrent-ruby (~> 1.0)
+      ffi-yajl (~> 2.2)
+    chef-utils (16.2.50)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.6)
+    declarative (0.0.20)
+    declarative-option (0.1.0)
+    diff-lcs (1.4.3)
+    docker-api (1.34.2)
+      excon (>= 0.47.0)
+      multi_json
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    ecma-re-validator (0.2.1)
+      regexp_parser (~> 1.2)
+    ed25519 (1.2.4)
+    equatable (0.6.1)
+    erubi (1.9.0)
+    excon (0.75.0)
+    faraday (0.17.3)
+      multipart-post (>= 1.2, < 3)
+    faraday-cookie_jar (0.0.6)
+      faraday (>= 0.7.4)
+      http-cookie (~> 1.0.0)
+    faraday_middleware (0.12.2)
+      faraday (>= 0.7.4, < 1.0)
+    ffi (1.13.1)
+    ffi-yajl (2.3.3)
+      libyajl2 (~> 1.2)
+    fuzzyurl (0.9.0)
+    google-api-client (0.34.1)
+      addressable (~> 2.5, >= 2.5.1)
+      googleauth (~> 0.9)
+      httpclient (>= 2.8.1, < 3.0)
+      mini_mime (~> 1.0)
+      representable (~> 3.0)
+      retriable (>= 2.0, < 4.0)
+      signet (~> 0.12)
+    googleauth (0.10.0)
+      faraday (~> 0.12)
+      jwt (>= 1.4, < 3.0)
+      memoist (~> 0.16)
+      multi_json (~> 1.11)
+      os (>= 0.9, < 2.0)
+      signet (~> 0.12)
+    gssapi (1.3.0)
+      ffi (>= 1.0.1)
+    gyoku (1.3.1)
+      builder (>= 2.1.2)
+    hana (1.3.6)
+    hashie (3.6.0)
+    htmlentities (4.3.4)
+    http-cookie (1.0.3)
+      domain_name (~> 0.5)
+    httpclient (2.8.3)
+    i18n (1.8.3)
+      concurrent-ruby (~> 1.0)
+    inifile (3.0.0)
+    inspec (4.21.1)
+      faraday_middleware (~> 0.12.2)
+      inspec-core (= 4.21.1)
+      train (~> 3.0)
+      train-aws (~> 0.1)
+      train-habitat (~> 0.1)
+      train-winrm (~> 0.2)
+    inspec-core (4.21.1)
+      addressable (~> 2.4)
+      chef-telemetry (~> 1.0)
+      faraday (>= 0.9.0)
+      hashie (~> 3.4)
+      htmlentities (~> 4.3)
+      json_schemer (~> 0.2.1)
+      license-acceptance (>= 0.2.13, < 2.0)
+      method_source (>= 0.8, < 2.0)
+      mixlib-log (~> 3.0)
+      multipart-post (~> 2.0)
+      parallel (~> 1.9)
+      parslet (~> 1.5)
+      pry (~> 0.13)
+      rspec (~> 3.9)
+      rspec-its (~> 1.2)
+      rubyzip (~> 1.2, >= 1.2.2)
+      semverse (~> 3.0)
+      sslshake (~> 1.2)
+      term-ansicolor (~> 1.7)
+      thor (>= 0.20, < 2.0)
+      tomlrb (~> 1.2.0)
+      train-core (~> 3.0)
+      tty-prompt (~> 0.17)
+      tty-table (~> 0.10)
+    jmespath (1.4.0)
+    json (2.3.0)
+    json_schemer (0.2.11)
+      ecma-re-validator (~> 0.2)
+      hana (~> 1.3)
+      regexp_parser (~> 1.5)
+      uri_template (~> 0.7)
+    jwt (2.2.1)
+    kitchen-docker (2.10.0)
+      test-kitchen (>= 1.0.0)
+    kitchen-inspec (2.0.0)
+      hashie (~> 3.4)
+      inspec (>= 2.2.64, < 5.0)
+      test-kitchen (>= 1.6, < 3)
+    kitchen-salt (0.6.3)
+      hashie (>= 3.5)
+      test-kitchen (>= 1.4)
+    kitchen-vagrant (1.6.1)
+      test-kitchen (>= 1.4, < 3)
+    libyajl2 (1.2.0)
+    license-acceptance (1.0.19)
+      pastel (~> 0.7)
+      tomlrb (~> 1.2)
+      tty-box (~> 0.3)
+      tty-prompt (~> 0.18)
+    little-plugger (1.1.4)
+    logging (2.2.2)
+      little-plugger (~> 1.1)
+      multi_json (~> 1.10)
+    memoist (0.16.2)
+    method_source (1.0.0)
+    mini_mime (1.0.2)
+    minitest (5.14.1)
+    mixlib-config (3.0.6)
+      tomlrb
+    mixlib-install (3.12.1)
+      mixlib-shellout
+      mixlib-versioning
+      thor
+    mixlib-log (3.0.8)
+    mixlib-shellout (3.0.9)
+    mixlib-versioning (1.2.12)
+    ms_rest (0.7.6)
+      concurrent-ruby (~> 1.0)
+      faraday (>= 0.9, < 2.0.0)
+      timeliness (~> 0.3.10)
+    ms_rest_azure (0.12.0)
+      concurrent-ruby (~> 1.0)
+      faraday (>= 0.9, < 2.0.0)
+      faraday-cookie_jar (~> 0.0.6)
+      ms_rest (~> 0.7.6)
+    multi_json (1.14.1)
+    multipart-post (2.1.1)
+    necromancer (0.5.1)
+    net-scp (3.0.0)
+      net-ssh (>= 2.6.5, < 7.0.0)
+    net-ssh (6.1.0)
+    net-ssh-gateway (2.0.0)
+      net-ssh (>= 4.0.0)
+    nori (2.6.0)
+    os (1.1.0)
+    parallel (1.19.2)
+    parslet (1.8.2)
+    pastel (0.7.4)
+      equatable (~> 0.6)
+      tty-color (~> 0.5)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.5)
+    regexp_parser (1.7.1)
+    representable (3.0.4)
+      declarative (< 0.1.0)
+      declarative-option (< 0.2.0)
+      uber (< 0.2.0)
+    retriable (3.1.2)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-its (1.3.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    rubyntlm (0.6.2)
+    rubyzip (1.3.0)
+    semverse (3.0.0)
+    signet (0.14.0)
+      addressable (~> 2.3)
+      faraday (>= 0.17.3, < 2.0)
+      jwt (>= 1.5, < 3.0)
+      multi_json (~> 1.10)
+    sslshake (1.3.1)
+    strings (0.1.8)
+      strings-ansi (~> 0.1)
+      unicode-display_width (~> 1.5)
+      unicode_utils (~> 1.4)
+    strings-ansi (0.2.0)
+    sync (0.5.0)
+    term-ansicolor (1.7.1)
+      tins (~> 1.0)
+    test-kitchen (2.5.2)
+      bcrypt_pbkdf (~> 1.0)
+      ed25519 (~> 1.2)
+      license-acceptance (~> 1.0, >= 1.0.11)
+      mixlib-install (~> 3.6)
+      mixlib-shellout (>= 1.2, < 4.0)
+      net-scp (>= 1.1, < 4.0)
+      net-ssh (>= 2.9, < 7.0)
+      net-ssh-gateway (>= 1.2, < 3.0)
+      thor (>= 0.19, < 2.0)
+      winrm (~> 2.0)
+      winrm-elevated (~> 1.0)
+      winrm-fs (~> 1.1)
+    thor (1.0.1)
+    thread_safe (0.3.6)
+    timeliness (0.3.10)
+    tins (1.25.0)
+      sync
+    tomlrb (1.2.9)
+    train (3.3.4)
+      activesupport (>= 5.2.4.3, < 6.0.0)
+      azure_graph_rbac (~> 0.16)
+      azure_mgmt_key_vault (~> 0.17)
+      azure_mgmt_resources (~> 0.15)
+      azure_mgmt_security (~> 0.18)
+      azure_mgmt_storage (~> 0.18)
+      docker-api (~> 1.26)
+      google-api-client (>= 0.23.9, < 0.35.0)
+      googleauth (>= 0.6.6, < 0.11.0)
+      inifile (~> 3.0)
+      train-core (= 3.3.4)
+      train-winrm (~> 0.2)
+    train-aws (0.1.17)
+      aws-sdk-apigateway (~> 1.0)
+      aws-sdk-apigatewayv2 (~> 1.0)
+      aws-sdk-athena (~> 1.0)
+      aws-sdk-autoscaling (~> 1.22.0)
+      aws-sdk-budgets (~> 1.0)
+      aws-sdk-cloudformation (~> 1.0)
+      aws-sdk-cloudfront (~> 1.0)
+      aws-sdk-cloudhsm (~> 1.0)
+      aws-sdk-cloudhsmv2 (~> 1.0)
+      aws-sdk-cloudtrail (~> 1.8)
+      aws-sdk-cloudwatch (~> 1.13)
+      aws-sdk-cloudwatchlogs (~> 1.13)
+      aws-sdk-codecommit (~> 1.0)
+      aws-sdk-codedeploy (~> 1.0)
+      aws-sdk-codepipeline (~> 1.0)
+      aws-sdk-configservice (~> 1.21)
+      aws-sdk-core (~> 3.0)
+      aws-sdk-costandusagereportservice (~> 1.6)
+      aws-sdk-dynamodb (~> 1.31)
+      aws-sdk-ec2 (~> 1.70)
+      aws-sdk-ecr (~> 1.18)
+      aws-sdk-ecs (~> 1.30)
+      aws-sdk-efs (~> 1.0)
+      aws-sdk-eks (~> 1.9)
+      aws-sdk-elasticache (~> 1.0)
+      aws-sdk-elasticbeanstalk (~> 1.0)
+      aws-sdk-elasticloadbalancing (~> 1.8)
+      aws-sdk-elasticloadbalancingv2 (~> 1.0)
+      aws-sdk-elasticsearchservice (~> 1.0)
+      aws-sdk-firehose (~> 1.0)
+      aws-sdk-iam (~> 1.13)
+      aws-sdk-kafka (~> 1.0)
+      aws-sdk-kinesis (~> 1.0)
+      aws-sdk-kms (~> 1.13)
+      aws-sdk-lambda (~> 1.0)
+      aws-sdk-organizations (~> 1.17.0)
+      aws-sdk-rds (~> 1.43)
+      aws-sdk-redshift (~> 1.0)
+      aws-sdk-route53 (~> 1.0)
+      aws-sdk-route53domains (~> 1.0)
+      aws-sdk-route53resolver (~> 1.0)
+      aws-sdk-s3 (~> 1.30)
+      aws-sdk-securityhub (~> 1.0)
+      aws-sdk-ses (~> 1.0)
+      aws-sdk-sms (~> 1.0)
+      aws-sdk-sns (~> 1.9)
+      aws-sdk-sqs (~> 1.10)
+      aws-sdk-ssm (~> 1.0)
+    train-core (3.3.4)
+      addressable (~> 2.5)
+      ffi (!= 1.13.0)
+      json (>= 1.8, < 3.0)
+      mixlib-shellout (>= 2.0, < 4.0)
+      net-scp (>= 1.2, < 4.0)
+      net-ssh (>= 2.9, < 7.0)
+    train-habitat (0.2.13)
+    train-winrm (0.2.6)
+      winrm (~> 2.0)
+      winrm-fs (~> 1.0)
+    tty-box (0.5.0)
+      pastel (~> 0.7.2)
+      strings (~> 0.1.6)
+      tty-cursor (~> 0.7)
+    tty-color (0.5.1)
+    tty-cursor (0.7.1)
+    tty-prompt (0.21.0)
+      necromancer (~> 0.5.0)
+      pastel (~> 0.7.0)
+      tty-reader (~> 0.7.0)
+    tty-reader (0.7.0)
+      tty-cursor (~> 0.7)
+      tty-screen (~> 0.7)
+      wisper (~> 2.0.0)
+    tty-screen (0.8.0)
+    tty-table (0.11.0)
+      equatable (~> 0.6)
+      necromancer (~> 0.5)
+      pastel (~> 0.7.2)
+      strings (~> 0.1.5)
+      tty-screen (~> 0.7)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    uber (0.1.0)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.7)
+    unicode-display_width (1.7.0)
+    unicode_utils (1.4.0)
+    uri_template (0.7.0)
+    winrm (2.3.4)
+      builder (>= 2.1.2)
+      erubi (~> 1.8)
+      gssapi (~> 1.2)
+      gyoku (~> 1.0)
+      httpclient (~> 2.2, >= 2.2.0.2)
+      logging (>= 1.6.1, < 3.0)
+      nori (~> 2.0)
+      rubyntlm (~> 0.6.0, >= 0.6.1)
+    winrm-elevated (1.2.1)
+      erubi (~> 1.8)
+      winrm (~> 2.0)
+      winrm-fs (~> 1.0)
+    winrm-fs (1.3.3)
+      erubi (~> 1.8)
+      logging (>= 1.6.1, < 3.0)
+      rubyzip (~> 1.1)
+      winrm (~> 2.0)
+    wisper (2.0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  kitchen-docker
+  kitchen-inspec
+  kitchen-salt
+  kitchen-vagrant
+  test-kitchen
+
+BUNDLED WITH
+   2.1.4

_modules/minion_net.py

@@ -1,6 +1,8 @@
 #!python
 # -*- coding: utf-8 -*-
 
+import socket
+
 from salt.utils.network import ipaddr
 
 
@@ -108,3 +110,26 @@ def map_hostname_to_public_addresses(target, target_type = "glob", addr_type = "
             mapping[nodename].extend(addresses)
 
     return mapping
+
+
+def strip_cidr(ipaddr):
+    """ Given an IP address, strip the CIDR off the end, if it is present.
+    """
+
+    return ipaddr.split("/")[0]
+
+
+def resolve_hostname(hostname):
+    v4, v6 = [], []
+
+    infos = socket.getaddrinfo(hostname, 0)
+    for fam, stype, proto, canonname, sockaddr in infos:
+        address = sockaddr[0]
+        if fam is socket.AF_INET:
+            if address not in v4:
+                v4.append(address)
+        elif fam is socket.AF_INET6:
+            if address not in v6:
+                v6.append(address)
+
+    return v4, v6

base/debian_packages.sls

@@ -1,7 +0,0 @@
----
-
-apt-file:
-  pkg.installed:
-    - name: apt-file
-  cmd.run:
-    - name: "apt-file update"

base/map.jinja

@@ -1,2 +1,3 @@
 {% import_yaml "base/package_map.yaml" as pkg_map %}
+{% import_yaml "base/pip_packages.yaml" as pip_pkgs %}
 {% set packages = salt["grains.filter_by"](pkg_map, grain="os") or {} %}

base/package_map.yaml

@@ -1,27 +1,29 @@
 ---
 
 Debian:
+  apt-file:
+    name: apt-file
+    then: "apt-file update"
   curl:
     name: curl
   dnsutils:
     name: dnsutils
   htop:
     name: htop
+  iptables:
+    name: iptables
+    latest: true
+    source_for:
+      stretch: ~
+      buster: buster-backports
   jq:
     name: jq
   libcap2_bin:
     name: libcap2-bin
   parted:
     name: parted
-  pip:
-    require: ">=19.0.0"
-    py2_name: python-pip
-    py3_name: python3-pip
   python3:
     name: python3
-  python_requests:
-    name: python-requests
-  python3_requests:
-    name: python3-requests
+    latest: true
   tmux:
     name: tmux

base/packages.sls

@@ -3,38 +3,26 @@
 {% from "base/map.jinja" import packages with context %}
 
 # Include OS-specific packages
-{% set osname = grains["os"].lower() %}
-include:
-- "base.{{ osname }}_packages"
-
-curl:
-  pkg.installed:
-  - name: "{{ packages.curl.name }}"
-
-dnsutils:
-  pkg.installed:
-  - name: "{{ packages.dnsutils.name }}"
-
-htop:
-  pkg.installed:
-  - name: "{{ packages.htop.name }}"
-
-jq:
-  pkg.installed:
-  - name: "{{ packages.jq.name }}"
-
-libcap2-bin:
-  pkg.installed:
-  - name: "{{ packages.libcap2_bin.name }}"
-
-parted:
-  pkg.installed:
-  - name: "{{ packages.parted.name }}"
-
-python3:
-  pkg.installed:
-  - name: "{{ packages.python3.name }}"
-
-tmux:
-  pkg.installed:
-  - name: "{{ packages.tmux.name }}"
+{% set codename = grains["oscodename"] %}
+
+{% for name, settings in packages.items() %}
+{{ name }}:
+  pkg.{{ "latest" if settings.get("latest") else "installed" }}:
+  - name: {{ settings.name | yaml_dquote }}
+{% if settings.get("version") %}
+  - version: {{ settings.get("version") | yaml_dquote }}
+{% endif %}
+{% if settings.get("triggers", {}).get("reload") %}
+  - reload_modules: true
+{% endif %}
+{% if settings.get("triggers", {}).get("pkg_refresh") %}
+  - refresh: true
+{% endif %}
+{% if codename in settings.get("source_for", {}) and settings["source_for"][codename] %}
+  - fromrepo: {{ settings["source_for"][codename] | yaml_dquote }}
+{% endif %}
+{% if settings.get("then") %}
+  cmd.run:
+  - name: {{ settings["then"] | yaml_dquote }}
+{% endif %}
+{% endfor %}

base/pip_packages.yaml

@@ -0,0 +1,10 @@
+---
+
+pip:
+  require: ">=19.0.0"
+  py2_name: python-pip
+  py3_name: python3-pip
+python_requests:
+  name: python-requests
+python3_requests:
+  name: python3-requests

base/python.sls

@@ -1,6 +1,6 @@
 ---
 
-{% from "base/map.jinja" import packages with context %}
+{% from "base/map.jinja" import pip_pkgs as packages with context %}
 
 fetch pip bootstrap:
   file.managed:

base/repositories.sls

@@ -1,20 +1,13 @@
 ---
 
-debian strech backports:
-  pkgrepo.managed:
-  - humanname: debian-stretch-backports
-  - name: deb http://ftp.debian.org/debian stretch-backports main contrib non-free
-  - dist: stretch-backports
-  - file: /etc/apt/sources.list.d/debian-stretch-backports.list
-  - onchanges_in:
-    - module: refresh package database
+{% set codename = grains["oscodename"] -%}
 
-debian stretch backports sloppy:
+debian {{ codename }} backports:
   pkgrepo.managed:
-  - humanname: debian-stretch-backports-sloppy
-  - name: deb http://ftp.debian.org/debian stretch-backports-sloppy main contrib non-free
-  - dist: stretch-backports-sloppy
-  - file: /etc/apt/sources.list.d/debian-stretch-backports-sloppy.list
+  - humanname: debian-{{ codename }}-backports
+  - name: deb http://deb.debian.org/debian {{ codename }}-backports main contrib non-free
+  - dist: {{ codename }}-backports
+  - file: /etc/apt/sources.list.d/debian-{{ codename }}-backports.list
   - onchanges_in:
     - module: refresh package database
 

ci/pipeline.yml

@@ -52,7 +52,28 @@ resources:
     form_data:
       .: (( inject meta.request.form_data ))
 
+- name: commons
+  type: git
+  icon: git
+  source:
+    .: (( inject meta.upstream.commons ))
+
 jobs:
+- name: "kitchen-integration-debian"
+  serial_groups: [kitchen]
+  public: true
+  plan:
+  - get: commons
+  - get: states
+    trigger: true
+  - task: "run-kitchen-integration-debian"
+    file: (( grab meta.tasks.kitchen ))
+    privileged: true
+    params:
+      PLATFORM: debian
+    input_mapping:
+      formula: states
+
 - name: update-states
   public: false
   plan:

ci/settings.yml

@@ -12,4 +12,17 @@ meta:
       password: ((glow_registry_ci.password))
 
   saltbox:
-    secret: ((saltbox.webhook_secret))
+    secret: ((saltbox.webhook_secret))
+
+  formula:
+    source:
+      uri: https://glow.dev.maio.me/saltbox-formulas/states.git
+      branch: master
+
+  tasks:
+    kitchen: commons/tasks/kitchen/kitchen.yml
+
+  upstream:
+    commons:
+      uri: "https://glow.dev.maio.me/containers/commons.git"
+      branch: "master"

fwrules/chains/concourse_worker.sls

@@ -0,0 +1,99 @@
+#!pydsl
+
+state("concourse_worker ipv4 chain").iptables.chain_present(
+    "concourse_worker",
+    family="ipv4",
+)
+
+state("concourse_worker ipv6 chain").iptables.chain_present(
+    "concourse_worker",
+    family="ipv6",
+)
+
+addresses_v4 = ["107.155.67.64/29"]
+addresses_v6 = ["2604:880:396::/48"]
+
+for address in addresses_v4:
+    # SSH
+    state("ssh ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="concourse_worker",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=22,
+    )
+
+    # Concourse worker
+    state("concourse-atc ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="concourse_worker",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=7777,
+    )
+
+    state("concourse-baggageclaim ipv4 " + address).append(
+        table="filter",
+        family="ipv4",
+        chain="concourse_worker",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=7778,
+    )
+
+for address in addresses_v6:
+    # SSH
+    state("ssh ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="concourse_worker",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=7777,
+    )
+
+    # Concourse private
+    state("concourse-atc ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="concourse_worker",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=7777,
+    )
+
+    state("concourse-baggageclaim ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="concourse_worker",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=7778,
+    )
+
+
+state("concourse_worker ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="concourse_worker",
+    jump="concourse_worker",
+)
+
+state("concourse_worker ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="concourse_worker",
+    jump="concourse_worker",
+)

fwrules/chains/elasticsearch_cluster_private.sls

@@ -0,0 +1,45 @@
+#!pydsl
+
+state("es-ingest ipv4 " + address).iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    source="10.1.0.0/24",
+    protocol="tcp",
+    match="tcp",
+    dport=9200,
+)
+
+state("es-transport ipv4 " + address).iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    source="10.1.0.0/24",
+    protocol="tcp",
+    match="tcp",
+    dport=9300,
+)
+
+addresses_v4 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")
+for address in addresses_v4:
+    state("es-ingest ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="INPUT",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=9200,
+    )
+
+addresses_v6 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")
+for address in addresses_v6:
+    state("es-ingest ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="INPUT",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=9200,
+    )

fwrules/chains/elasticsearch_exporter_private.sls

@@ -0,0 +1,56 @@
+#!pydsl
+
+state("elasticsearch_exporter_private ipv4 chain").iptables.chain_present(
+    "elasticsearch_exporter_private",
+    family="ipv4",
+)
+
+state("elasticsearch_exporter_private ipv6 chain").iptables.chain_present(
+    "elasticsearch_exporter_private",
+    family="ipv6",
+)
+
+addresses_v4 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")
+for address in addresses_v4:
+    # Salt private
+    state("elasticsearch_exporter ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="elasticsearch_exporter_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=9114,
+    )
+
+addresses_v6 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")
+for address in addresses_v6:
+    state("elasticsearch_exporter ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="elasticsearch_exporter_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=9114,
+    )
+
+
+state("elasticsearch_exporter_private ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="elasticsearch_exporter_private",
+    jump="elasticsearch_exporter_private",
+)
+
+state("elasticsearch_exporter_private ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="elasticsearch_exporter_private",
+    jump="elasticsearch_exporter_private",
+)
+

fwrules/chains/http_public.sls

@@ -0,0 +1,54 @@
+#!pydsl
+
+families = [
+    ("ipv4", ["0.0.0.0/0"]),
+    ("ipv6", ["::/0"]),
+]
+
+ports = [
+    ("http", 80),
+    ("https", 443),
+]
+
+state("http_public ipv4 chain").iptables.chain_present(
+    "http_public",
+    family="ipv4",
+)
+
+state("http_public ipv6 chain").iptables.chain_present(
+    "http_public",
+    family="ipv6",
+)
+
+for family, addresses in families:
+    for address in addresses:
+        for protocol, port in ports:
+            state("{} {} {}".format(protocol, family, address)).iptables.append(
+                table="filter",
+                family=family,
+                chain="http_public",
+                source=address,
+                protocol="tcp",
+                match=["tcp", "comment"],
+                comment=protocol,
+                dport=port,
+                jump="ACCEPT",
+            )
+
+state("http_public ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="http_public",
+    jump="http_public",
+)
+
+state("http_public ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="http_public",
+    jump="http_public",
+)

fwrules/chains/management.sls

@@ -0,0 +1,100 @@
+#!pydsl
+
+import socket
+from copy import copy
+from salt.utils import network
+
+pillar = __salt__["pillar.get"]
+
+addresses_v4 = pillar("firewall:management:ipv4", [])
+addresses_v6 = pillar("firewall:management:ipv6", [])
+names = pillar("firewall:management:resolve_names", [])
+
+public_addresses = __salt__.minion_net.public_addresses
+
+# CI worker nodes need to be able to access everything
+for address in public_addresses("app:builder", target_type="glob", addr_type="ipv4"):
+    addresses_v4.append(address)
+
+for address in public_addresses("app:builder", target_type="glob", addr_type="ipv6"):
+    addresses_v6.append(address)
+
+# Salt master needs to be able to access everything
+for address in public_addresses("app:saltbox", target_type="glob", addr_type="ipv4"):
+    addresses_v4.append(address)
+
+for address in public_addresses("app:saltbox", target_type="glob", addr_type="ipv6"):
+    addresses_v6.append(address)
+
+# Resolve any names to add to the allow lists
+for hostname in names:
+    mods = {}
+    if isinstance(hostname, dict):
+        hostname, mods = hostname.popitem()
+        print(hostname, mods)
+
+    widen_ipv6 = mods.get("widen_ipv6")
+    v4, v6 = __salt__.minion_net.resolve_hostname(hostname)
+    if widen_ipv6:
+        cv6 = copy(v6)
+        v6.clear()
+        for addr6 in cv6:
+            addr6 = __salt__.minion_net.strip_cidr(addr6)
+            v6.append(network.calc_net(addr6, widen_ipv6))
+            
+    addresses_v4.extend(v4)
+    addresses_v6.extend(v6)
+
+
+state("management ipv4 chain").iptables.chain_present(
+    "management",
+    family="ipv4",
+)
+
+state("management ipv6 chain").iptables.chain_present(
+    "management",
+    family="ipv6",
+)
+
+for address in addresses_v4:
+    state("ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="management",
+        source=address,
+        match=["comment"],
+        comment="management",
+        jump="ACCEPT",
+    )
+
+
+for address in addresses_v6:
+    # SSH private
+    state("ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="management",
+        source=address,
+        match=["comment"],
+        comment="management",
+        jump="ACCEPT",
+    )
+
+
+state("management ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="management",
+    jump="management",
+)
+
+state("management ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="management",
+    jump="management",
+)

fwrules/chains/mqtt_public.sls

@@ -0,0 +1,54 @@
+#!pydsl
+
+families = [
+    ("ipv4", ["0.0.0.0/0"]),
+    ("ipv6", ["::/0"]),
+]
+
+ports = [
+    ("mqtts-tcp", 4883),
+    ("mqtts-ws", 4884),
+]
+
+state("mqtt_public ipv4 chain").iptables.chain_present(
+    "mqtt_public",
+    family="ipv4",
+)
+
+state("mqtt_public ipv6 chain").iptables.chain_present(
+    "mqtt_public",
+    family="ipv6",
+)
+
+for family, addresses in families:
+    for address in addresses:
+        for protocol, port in ports:
+            state("{} {} {}".format(protocol, family, address)).iptables.append(
+                table="filter",
+                family=family,
+                chain="mqtt_public",
+                source=address,
+                protocol="tcp",
+                match=["tcp", "comment"],
+                comment=protocol,
+                dport=port,
+                jump="ACCEPT",
+            )
+
+state("mqtt_public ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="mqtt_public",
+    jump="mqtt_public",
+)
+
+state("mqtt_public ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="mqtt_public",
+    jump="mqtt_public",
+)

fwrules/chains/node_exporter_private.sls

@@ -0,0 +1,55 @@
+#!pydsl
+
+state("node_exporter_private ipv4 chain").iptables.chain_present(
+    "node_exporter_private",
+    family="ipv4",
+)
+
+state("node_exporter_private ipv6 chain").iptables.chain_present(
+    "node_exporter_private",
+    family="ipv6",
+)
+
+addresses_v4 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv4")
+for address in addresses_v4:
+    # Salt private
+    state("node_exporter ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="node_exporter_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=9100,
+    )
+
+addresses_v6 = __salt__.minion_net.public_addresses("app:metrics", target_type="grain", addr_type="ipv6")
+for address in addresses_v6:
+    state("node_exporter ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="node_exporter_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=9100,
+    )
+
+
+state("node_exporter_private ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="node_exporter_private",
+    jump="node_exporter_private",
+)
+
+state("node_exporter_private ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="node_exporter_private",
+    jump="node_exporter_private",
+)

fwrules/chains/salt_private.sls

@@ -0,0 +1,76 @@
+#!pydsl
+
+state("salt_private ipv4 chain").iptables.chain_present(
+    "salt_private",
+    family="ipv4",
+)
+
+state("salt_private ipv6 chain").iptables.chain_present(
+    "salt_private",
+    family="ipv6",
+)
+
+addresses_v4 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv4")
+for address in addresses_v4:
+    # Salt private
+    state("salt-publish ipv4 " + address).iptables.append(
+        table="filter",
+        family="ipv4",
+        chain="salt_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=4505,
+    )
+
+    state("salt-return ipv4 " + address).append(
+        table="filter",
+        family="ipv4",
+        chain="salt_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=4506,
+    )
+
+addresses_v6 = __salt__.minion_net.public_addresses("*", target_type="glob", addr_type="ipv6")
+for address in addresses_v6:
+    # Salt private
+    state("salt-publish ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="salt_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=4505,
+    )
+
+    state("salt-return ipv6 " + address).iptables.append(
+        table="filter",
+        family="ipv6",
+        chain="salt_private",
+        source=address,
+        protocol="tcp",
+        match="tcp",
+        dport=4506,
+    )
+
+
+state("salt_private ipv4 input chain").iptables.append(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    match="comment",
+    comment="salt_private",
+    jump="salt_private",
+)
+
+state("salt_private ipv6 input chain").iptables.append(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    match="comment",
+    comment="salt_private",
+    jump="salt_private",
+)

fwrules/init.sls

@@ -0,0 +1,88 @@
+#!pydsl
+
+defaults = __salt__["pillar.get"]("firewall:defaults", {})
+defaults.setdefault("allow_loopback", True)
+defaults.setdefault("conntrack", True)
+
+input_policy = __salt__["pillar.get"]("firewall:policies:INPUT", "DROP")
+forward_policy = __salt__["pillar.get"]("firewall:policies:FORWARD", "DROP")
+output_policy = __salt__["pillar.get"]("firewall:policies:OUTPUT", "ACCEPT")
+
+
+state("default v4 input " + input_policy).iptables.set_policy(
+    table="filter",
+    family="ipv4",
+    chain="INPUT",
+    policy=input_policy,
+)
+
+state("default v4 forward " + forward_policy).iptables.set_policy(
+    table="filter",
+    family="ipv4",
+    chain="FORWARD",
+    policy=forward_policy,
+)
+
+state("default v4 output " + output_policy).iptables.set_policy(
+    table="filter",
+    family="ipv4",
+    chain="OUTPUT",
+    policy=output_policy,
+)
+
+state("default v6 input " + input_policy).iptables.set_policy(
+    table="filter",
+    family="ipv6",
+    chain="INPUT",
+    policy=input_policy,
+)
+
+state("default v6 forward " + forward_policy).iptables.set_policy(
+    table="filter",
+    family="ipv6",
+    chain="FORWARD",
+    policy=forward_policy,
+)
+
+state("default v6 output " + output_policy).iptables.set_policy(
+    table="filter",
+    family="ipv6",
+    chain="OUTPUT",
+    policy=output_policy,
+)
+
+if defaults["conntrack"]:
+    state("conntrack ipv4").iptables.append(
+        table="filter",
+        chain="INPUT",
+        family="ipv4",
+        match=["conntrack"],
+        ctstate="RELATED,ESTABLISHED",
+        jump="ACCEPT",
+    )
+
+    state("conntrack ipv6").iptables.append(
+        table="filter",
+        chain="INPUT",
+        family="ipv6",
+        match=["conntrack"],
+        ctstate="RELATED,ESTABLISHED",
+        jump="ACCEPT",
+    )
+
+if defaults["allow_loopback"]:
+    state("loopback ipv4").iptables.append(
+        table="filter",
+        chain="INPUT",
+        family="ipv4",
+        source="127.0.0.0/8",
+        jump="ACCEPT",
+    )
+
+    state("loopback ipv6").iptables.append(
+        table="filter",
+        chain="INPUT",
+        family="ipv6",
+        source="::1/128",
+        jump="ACCEPT",
+    )

kitchen.ci.yml

@@ -0,0 +1,101 @@
+---
+
+driver:
+  name: docker
+
+transport:
+  name: docker
+
+driver_config:
+  use_sudo: false
+  privileged: true
+  provision_command: mkdir -p /run/sshd
+  run_command: /lib/systemd/systemd
+  cap_add:
+  - CAP_SYS_ADMIN
+
+verifier:
+  name: inspec
+  sudo: true
+  reporter:
+  - cli
+
+platforms:
+- name: debian-9
+  driver_config:
+    image: debian:9
+    provision_command:
+    - apt-get install -y python3-pip git
+    - pip3 install pytoml
+
+provisioner:
+  name: salt_solo
+  require_chef: false
+  state_collection: .
+  is_file_root: true
+
+  # Salt-solo installation options
+  salt_install: bootstrap
+  salt_version: latest
+  salt_bootstrap_options: "-x python3"
+  salt_copy_filter:
+    - .git
+    - .kitchen
+
+  dependencies:
+  - name: openssh
+    repo: git
+    source: https://github.com/saltstack-formulas/openssh-formula.git
+
+  # Provision with states
+  state_top:
+    base:
+      '*':
+      - base.files
+      - base.repositories
+      - base.packages
+      - base.python
+      - base.sshd
+      - base.unattended_upgrades
+      - fwrules
+
+  pillars:
+    top.sls:
+      base:
+        '*':
+        - firewall
+    firewall.sls:
+      firewall:
+        defaults:
+          conntrack: false
+        policies:
+          INPUT: ACCEPT
+          FORWARD: DROP
+          OUTPUT: ACCEPT
+        management:
+          ipv4:
+          - "107.155.67.64/29"
+          ipv6:
+          - "2604:880:396::/48"
+          resolve_names:
+          - "adephagia.synology.me":
+              widen_ipv6: 64
+
+suites:
+- name: default
+  provisioner:
+    state_top:
+      base:
+        '*':
+        - base.files
+        - base.repositories
+        - base.packages
+        - base.python
+        - base.sshd
+        - base.unattended_upgrades
+        - fwrules
+        - fwrules.chains.management
+        - fwrules.chains.minion_access
+        - fwrules.chains.http_public
+        - fwrules.chains.mqtt_public
+    pillars: {}

kitchen.yml

@@ -0,0 +1,86 @@
+---
+
+driver:
+  name: vagrant
+
+verifier:
+  name: inspec
+  sudo: true
+  reporter:
+    - cli
+
+platforms:
+- name: debian-9
+  driver:
+    box: generic/debian9
+
+provisioner:
+  name: salt_solo
+  require_chef: false
+  state_collection: .
+  is_file_root: true
+
+  # Salt-solo installation options
+  salt_install: bootstrap
+  salt_version: latest
+  salt_copy_filter:
+    - .git
+    - .kitchen
+
+  dependencies:
+  - name: openssh
+    repo: git
+    source: https://github.com/saltstack-formulas/openssh-formula.git
+
+  # Provision with states
+  state_top:
+    base:
+      '*':
+      - base.files
+      - base.repositories
+      - base.packages
+      - base.python
+      - base.sshd
+      - base.unattended_upgrades
+      - fwrules
+
+  pillars:
+    top.sls:
+      base:
+        '*':
+        - firewall
+    firewall.sls:
+      firewall:
+        defaults:
+          conntrack: false
+        policies:
+          INPUT: ACCEPT
+          FORWARD: DROP
+          OUTPUT: ACCEPT
+        management:
+          ipv4:
+          - "107.155.67.64/29"
+          ipv6:
+          - "2604:880:396::/48"
+          resolve_names:
+          - "adephagia.synology.me":
+              widen_ipv6: 64
+
+suites:
+- name: default
+  provisioner:
+    state_top:
+      base:
+        '*':
+        - base.files
+        - base.repositories
+        - base.packages
+        - base.python
+        - base.sshd
+        - base.unattended_upgrades
+        - fwrules
+        - fwrules.chains.management
+        - fwrules.chains.minion_access
+        - fwrules.chains.http_public
+        - fwrules.chains.mqtt_public
+    pillars: {}

test/integration/default/base.rb

@@ -0,0 +1,14 @@
+describe file("/etc/motd") do
+  it { should exist }
+end
+
+describe directory("/etc/pki") do
+  it { should exist }
+  its(:owner) { should cmp "root" }
+  its(:group) { should cmp "root" }
+  its(:mode) { should be 0755 }
+end
+
+describe package("iptables") do
+  it { should be_installed }
+end

test/integration/default/fwrules.rb

@@ -0,0 +1,40 @@
+describe iptables do
+  it { should have_rule("-P INPUT ACCEPT") }
+  it { should have_rule("-P FORWARD DROP") }
+  it { should have_rule("-P OUTPUT ACCEPT") }
+  it { should have_rule("-N management") }
+  it { should have_rule("-N minion_access") }
+  it { should have_rule("-N mqtt_public") }
+  it { should have_rule("-N http_public") }
+  it { should have_rule("-A INPUT -s 127.0.0.0/8 -j ACCEPT") }
+  it { should have_rule("-A INPUT -m comment --comment management -j management") }
+  it { should have_rule("-A INPUT -m comment --comment minion_access -j minion_access") }
+  it { should have_rule("-A INPUT -m comment --comment mqtt_public -j mqtt_public") }
+  it { should have_rule("-A INPUT -m comment --comment http_public -j http_public") }
+  it { should have_rule("-A management -s 107.155.67.64/29 -m comment --comment management -j ACCEPT") }
+  it { should have_rule("-A management -s 107.155.67.64/29 -m comment --comment management -j ACCEPT") }
+  it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4883 -m comment --comment mqtts-tcp -j ACCEPT") }
+  it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4884 -m comment --comment mqtts-ws -j ACCEPT") }
+  it { should have_rule("-A http_public -p tcp -m tcp --dport 80 -m comment --comment http -j ACCEPT") }
+  it { should have_rule("-A http_public -p tcp -m tcp --dport 443 -m comment --comment https -j ACCEPT") }
+end
+
+describe ip6tables do
+  it { should have_rule("-P INPUT ACCEPT") }
+  it { should have_rule("-P FORWARD DROP") }
+  it { should have_rule("-P OUTPUT ACCEPT") }
+  it { should have_rule("-N management") }
+  it { should have_rule("-N minion_access") }
+  it { should have_rule("-N mqtt_public") }
+  it { should have_rule("-N http_public") }
+  it { should have_rule("-A INPUT -s ::1/128 -j ACCEPT") }
+  it { should have_rule("-A INPUT -m comment --comment management -j management") }
+  it { should have_rule("-A INPUT -m comment --comment minion_access -j minion_access") }
+  it { should have_rule("-A INPUT -m comment --comment mqtt_public -j mqtt_public") }
+  it { should have_rule("-A management -s 2604:880:396::/48 -m comment --comment management -j ACCEPT")}
+  it { should have_rule("-A management -s 2605:6000:1700:64f::/64 -m comment --comment management -j ACCEPT")}
+  it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4883 -m comment --comment mqtts-tcp -j ACCEPT") }
+  it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4884 -m comment --comment mqtts-ws -j ACCEPT") }
+  it { should have_rule("-A http_public -p tcp -m tcp --dport 80 -m comment --comment http -j ACCEPT") }
+  it { should have_rule("-A http_public -p tcp -m tcp --dport 443 -m comment --comment https -j ACCEPT") }
+end

top.sls

@@ -9,6 +9,8 @@ base:
     - base.repositories
     - base.sshd
     - base.unattended_upgrades
+    - fwrules 
+    - fwrules.chains.management
     - iptables
     - logrotate.jobs
     - salt.minion
@@ -20,6 +22,7 @@ base:
 
   'roles:salt_master':
     - match: grain
+    - fwrules.chains.minion_access
     - saltbox.directories
     - saltbox.orchestrator.update_fileserver
     - saltbox.reactor.sync_grains
@@ -85,6 +88,7 @@ base:
     - match: grain
     - prometheus
     - app.concourse_worker
+    - fwrules.chains.concourse_workers
 
   'app:es-data':
     - match: grain