diff --git a/hieradata/role/tang.yaml b/hieradata/role/tang.yaml
index b1cc3845b0..11e00d99e0 100644
--- a/hieradata/role/tang.yaml
+++ b/hieradata/role/tang.yaml
@@ -1,6 +1,10 @@
 ---
 classes:
+  - "ipset"
   - "profile::core::common"
+  - "profile::core::firewall"
   - "tang"
 packages:
   - "jose"
+
+firewall::ensure: "running"
diff --git a/hieradata/site/dev/role/tang.yaml b/hieradata/site/dev/role/tang.yaml
new file mode 100644
index 0000000000..3e62b921ba
--- /dev/null
+++ b/hieradata/site/dev/role/tang.yaml
@@ -0,0 +1,9 @@
+---
+profile::core::firewall::firewall:
+  "200 accept tang":
+    proto: "tcp"
+    state: "NEW"
+    ipset: "dev src"
+    dport: "7500"
+    action: "accept"
+    require: "Ipset::Set[dev]"
diff --git a/spec/hosts/roles/tang_spec.rb b/spec/hosts/roles/tang_spec.rb
index 97f19dfad6..e0f6746a07 100644
--- a/spec/hosts/roles/tang_spec.rb
+++ b/spec/hosts/roles/tang_spec.rb
@@ -27,9 +27,26 @@
           it { is_expected.to compile.with_all_deps }
 
           include_examples 'common', facts: facts
+          include_examples 'ipset'
+          include_examples 'firewall default', facts: facts
+          include_examples 'firewall node_exporter scraping', site: site
 
           it { is_expected.to contain_class('tang') }
           it { is_expected.to contain_package('jose') }
+
+          case site
+          when 'dev'
+            it do
+              is_expected.to contain_firewall('200 accept tang').with(
+                proto: 'tcp',
+                state: 'NEW',
+                ipset: 'dev src',
+                dport: '7500',
+                action: 'accept',
+                require: 'Ipset::Set[dev]',
+              )
+            end
+          end
         end # host
       end # lsst_sites
     end # on os