diff --git a/main.tf b/main.tf
index 209710e..2cc5793 100644
--- a/main.tf
+++ b/main.tf
@@ -13,6 +13,77 @@ required_version = ">= 0.14.0"
 provider "openstack" {
   cloud = "sto4-rut"
 }
+
+resource "openstack_networking_secgroup_v2" "naemon" {
+  name        = "naemon"
+  description = "Rule to allow naemon traffic"
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule1" {
+  direction             = "ingress"
+  ethertype             = "IPv4"
+  protocol              = "tcp"
+  port_range_min        = 4317
+  port_range_max        = 4318
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule2" {
+  direction             = "ingress"
+  ethertype             = "IPv6"
+  protocol              = "tcp"
+  port_range_min        = 4317
+  port_range_max        = 4318
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule3" {
+  direction             = "ingress"
+  ethertype             = "IPv4"
+  protocol              = "icmp"
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" {
+  direction             = "ingress"
+  ethertype             = "IPv6"
+  protocol              = "icmp"
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule5" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = "109.105.111.111/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  remote_ip_prefix  = "2001:948:4:6::111/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule7" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 5666
+  port_range_max    = 5666
+  remote_ip_prefix  = "89.46.21.190/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule8" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 5666
+  port_range_max    = 5666
+  remote_ip_prefix  = "2001:6b0:6c::37f/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
 resource "openstack_networking_secgroup_v2" "https" {
   name        = "https"
   description = "Traffic to allow between microk8s hosts"
@@ -97,7 +168,7 @@ resource "openstack_compute_instance_v2" "monitor-node" {
   name            = "internal-sto4-prod-monitor-1.${var.dns_suffix}"
   flavor_name     = "${var.monitor_instance_type}"
   key_pair        = "thorslund"
-  security_groups = ["https", "Allow SSH from SUNET jumphosts",]
+  security_groups = ["https", "Allow SSH from SUNET jumphosts", "naemon"]
   
 
   block_device {
@@ -120,7 +191,7 @@ resource "openstack_compute_instance_v2" "satosa-node" {
   name            = "internal-sto4-prod-satosa-1.${var.dns_suffix}"
   flavor_name     = "${var.monitor_instance_type}"
   key_pair        = "thorslund"
-  security_groups = ["https", "Allow SSH from SUNET jumphosts",]
+  security_groups = ["https", "Allow SSH from SUNET jumphosts", "naemon"]
   
 
   block_device {