diff --git a/ansible/host_vars/grimes.yml b/ansible/host_vars/grimes.yml
new file mode 100644
index 0000000..e11b0f4
--- /dev/null
+++ b/ansible/host_vars/grimes.yml
@@ -0,0 +1,4 @@
+requested_firewall_ports:
+  - 80/tcp
+  - 443/tcp
+  - 1080/tcp
diff --git a/ansible/main.yml b/ansible/main.yml
index 2408d01..d163e3e 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -38,3 +38,4 @@
     - statping
     - socks-proxy
     - upload
+    - firewall
diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml
new file mode 100644
index 0000000..15298b1
--- /dev/null
+++ b/ansible/roles/firewall/tasks/main.yml
@@ -0,0 +1,44 @@
+- name: Install firewalld
+  package:
+    name: firewalld
+  become: true
+
+- name: Enable firewalld
+  systemd:
+    name: firewalld
+    enabled: true
+    state: started
+  become: true
+
+- name: Mark wireguard as internal traffic
+  firewalld:
+    source: "{{ wireguard.cidr }}"
+    zone: trusted
+    state: enabled
+    permanent: true
+    immediate: true
+  become: true
+
+- name: Get firewall ports
+  shell: firewall-cmd --list-ports --zone public
+  become: true
+  register: firewall_ports
+
+- name: Open firewall ports
+  firewalld:
+    port: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  loop: "{{ requested_firewall_ports }}"
+  become: true
+
+- name: Close firewall ports
+  firewalld:
+    port: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: disabled
+  when: item and item not in requested_firewall_ports
+  loop: "{{ firewall_ports.stdout.split(' ') }}"
+  become: true