diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router
index f16b942667d..0f82d20cd2a 100644
--- a/systemvm/patches/debian/config/etc/iptables/iptables-router
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@@ -36,8 +36,8 @@ COMMIT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
--A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
--A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
@@ -54,5 +54,5 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
--A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
+-A POSTROUTING -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill
 COMMIT
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
index b04af3ba7ae..18a3510f120 100644
--- a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
@@ -28,7 +28,7 @@ COMMIT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
--A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 COMMIT
@@ -38,5 +38,5 @@ COMMIT
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A OUTPUT -p udp --dport bootpc -j CHECKSUM --checksum-fill
+-A OUTPUT -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill
 COMMIT
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
index 8279f16fce8..6a786b118b9 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
@@ -1,6 +1,7 @@
 # -- coding: utf-8 --
 import CsHelper
 from pprint import pprint
+from cs_databag import CsDataBag, CsCmdLine
 import logging
 
 class CsChain(object):
@@ -99,7 +100,6 @@ class CsNetfilters(object):
             # Ensure all inbound chains have a default drop rule
             if c.startswith("ACL_INBOUND"):
                 list.append(["filter", "", "-A %s -j DROP" % c])
-        print list
         for fw in list:
             new_rule = CsNetfilter()
             new_rule.parse(fw[2])
@@ -127,16 +127,20 @@ class CsNetfilters(object):
 
     def del_standard(self):
         """ Del rules that are there but should not be deleted 
-        from the host but that configure does not actually manage """
-        self.del_rule("mangle", "-m udp --dport 68 -A OUTPUT -p udp -j CHECKSUM")
+        These standard firewall rules vary according to the device type
+        """
+        type = CsCmdLine("cmdline").get_type()
 
-        self.del_rule("filter", "-d 224.0.0.18/32 -A INPUT -j ACCEPT")
-        self.del_rule("filter", "-d 225.0.0.50/32 -A INPUT -j ACCEPT")
-        self.del_rule("filter", "-A INPUT -p icmp -j ACCEPT")
-        self.del_rule("filter", "-i lo -A INPUT -j ACCEPT")
-        self.del_rule("filter", "-A INPUT -m tcp -i eth0 -m state --dport 3922 -p tcp --state NEW -j ACCEPT")
-        self.del_rule("filter", "-j ACCEPT -A INPUT --state RELATED,ESTABLISHED -m state")
-        self.del_rule("filter", "-j ACCEPT -A FORWARD --state RELATED,ESTABLISHED -m state")
+        try:
+            table = ''
+            for i in open("/etc/iptables/iptables-%s" % type):
+                if i.startswith('*'): # Table
+                    table = i[1:].strip()
+                if i.startswith('-A'): # Rule
+                    self.del_rule(table, i.strip())
+        except IOError:
+            # Nothing can be done
+            return
 
     def del_rule(self, table, rule):
         nr = CsNetfilter()
@@ -149,7 +153,6 @@ class CsNetfilters(object):
         The rule will not actually be removed on the host """
         self.rules[:] = [x for x in self.rules if not x == rule]
 
-
 class CsNetfilter(object):
      
     def __init__(self):
@@ -172,8 +175,10 @@ class CsNetfilter(object):
         rule = rule.replace('! -', '!_-')
         rule = rule.replace('-p all', '')
         rule = rule.replace('  ', ' ')
+        rule = rule.replace('bootpc', '68')
         # -m can appear twice in a string
         rule = rule.replace('-m state', '-m2 state')
+        rule = rule.replace('ESTABLISHED,RELATED', 'RELATED,ESTABLISHED')
         bits = rule.split(' ')
         rule = dict(zip(bits[0::2],bits[1::2]))
         if "-A" in rule.keys():
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 20f819b920e..147a9c314a2 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -19,6 +19,7 @@
 import sys
 import os
 from merge import dataBag
+from cs_databag import CsDataBag, CsCmdLine
 from pprint import pprint
 import subprocess
 import logging
@@ -488,28 +489,27 @@ class CsIP:
             self.post_config_change("delete")
 
 
-class CsDataBag(object):
 
-    def __init__(self, key):
-        self.data = {}
-        db = dataBag()
-        db.setKey(key)
-        db.load()
-        self.dbag = db.getDataBag()
-        global fw
 
-    def get_bag(self):
-        return self.dbag
+class CsPassword(CsDataBag):
+    """
+      Update the password cache
+
+      A stupid step really as we should just rewrite the password server to
+      use the databag
+    """
+    cache = "/var/cache/cloud/passwords"
 
     def process(self):
-        pass
+        file = CsFile(self.cache)
+        for item in self.dbag:
+            if item == "id":
+                continue
+            self.__update(file, item, self.dbag[item])
+        file.commit()
 
-class CsCmdLine(CsDataBag):
-    """ Get cmdline config parameters """
-    def is_redundant(self):
-        if "redundant" in self.dbag['config']:
-            return self.dbag['config']['redundant'] == "true"
-        return False
+    def __update(self, file, ip, password):
+        file.search("%s=" % ip, "%s=%s" % (ip, password))
 
 class CsAcl(CsDataBag):
     """
@@ -592,26 +592,6 @@ class CsAcl(CsDataBag):
             dev_obj = self.AclDevice(self.dbag[item]).create()
 
 
-class CsPassword(CsDataBag):
-    """
-      Update the password cache
-
-      A stupid step really as we should just rewrite the password server to
-      use the databag
-    """
-    cache = "/var/cache/cloud/passwords"
-
-    def process(self):
-        file = CsFile(self.cache)
-        for item in self.dbag:
-            if item == "id":
-                continue
-            self.__update(file, item, self.dbag[item])
-        file.commit()
-
-    def __update(self, file, ip, password):
-        file.search("%s=" % ip, "%s=%s" % (ip, password))
-
 class CsVmMetadata(CsDataBag):
 
     def process(self):