The firewall rules related to a service may need to be bumped up the stack a bit. It just so happens that EC2 enforces rules, but this is actually a service attribute that could be implemented many ways. I suggest coupling the rules with the cluster, service or spec object.
Then, in provisioning/config, one could apply them where it is needed (ex whitelist environments like ec2) or where they are desired (ex. the user wants a whitelist style env, but it isn't naturally supported, and therefore needs to be configured as software like iptables).
Patch is a good wip. Please submit an issue to jclouds for adding a cidr based rule to the ec2 template. There's still time to make this in beta-7