iptables:
  pkg.installed:
    - name: iptables

#disable firewalld for the time being
firewalld:
  pkg.installed:
    - name: firewalld
  service.dead:
    - enable: false
    - watch:
      - file: /etc/firewalld/zones/*

#salt minion should be restarted when firewall changes to ensure it's up properly
fwd-minion:
  service.running:
    - name: salt-minion
    - watch:
      - file: /etc/firewalld/zones/*

{##ensure that firewalld pillar exists##}
{%- if pillar['firewalld'] is defined -%}

{##set up zone files for this server##}
{%- for zone in pillar['firewalld'] %}
/etc/firewalld/zones/{{ zone }}.xml:
  file.managed:
    - source: salt://systems/core/firewalld/zone.xml
    - user: root
    - group: root
    - mode: 644
    - template: jinja
    - context:
      zone: {{ zone }}
{%- endfor %}
{%- endif %}