diff --git a/README.md b/README.md
index 5caac18..67a1582 100644
--- a/README.md
+++ b/README.md
@@ -115,6 +115,8 @@ By default, a `vagrant` user will be provisioned (if not already available) and
 - Configure each desired service by following the README of its role.
 - Run the playbook `site.yml` or one of the service playbooks.
 
+**IMPORTANT**: Pay attention to the [Firewall](#firewall) section below.
+
 ## How does it work?
 
 The provisioning and configuration management tool Ansible is used to access a Linux server (VM, bare-metal) using SSH and provisions a set of roles. Each role consists of Docker Compose services (each containing one or more Docker containers).
@@ -131,6 +133,10 @@ Persistent volumes that need to be backed up will be labeled in a way that rcb w
 
 Restic assumes untrusted environments, hence backups are always encrypted using modern algorithms. [See their website for further details.](https://restic.net)
 
+## Firewall <a id="firewall"></a>
+
+The `common` role comes with a [firewall](https://galaxy.ansible.com/geerlingguy/firewall) based on iptables. If you don't allow SSH (usually port 22) then you might lock yourself out. Have a look at `group_vars/vagrant.yml` for an example config. Add the corresponding [firewall parameters](https://galaxy.ansible.com/geerlingguy/firewall) to your `host_vars` and adapt them according to your needs.
+
 ## Alternatives
 
 - [HomelabOS](https://gitlab.com/NickBusey/HomelabOS)
diff --git a/group_vars/docker.yml b/group_vars/docker.yml
index ab46aba..9ea90b9 100644
--- a/group_vars/docker.yml
+++ b/group_vars/docker.yml
@@ -7,4 +7,15 @@ docker_package: "docker-{{ docker_edition }}"
 docker_package_state: present
 docker_compose_version: "1.25.0"
 docker_users:
-  - deploy
\ No newline at end of file
+  - deploy
+firewall_disable_ufw: true
+firewall_flush_rules_and_chains: true
+firewall_allowed_tcp_ports:
+  - "22"
+  - "80"
+  - "443"
+#firewall_allowed_udp_ports:
+#  # Jitsi
+#  - "10000"
+firewall_additional_rules:
+  - "iptables -P INPUT DROP"
diff --git a/group_vars/vagrant.yml b/group_vars/vagrant.yml
index 0c43b68..d7d1ac0 100644
--- a/group_vars/vagrant.yml
+++ b/group_vars/vagrant.yml
@@ -1,4 +1,13 @@
 ansible_user: vagrant
+firewall_disable_ufw: true
+firewall_flush_rules_and_chains: true
+firewall_allowed_tcp_ports:
+ - "22"
+ - "80"
+ - "443"
+firewall_allowed_udp_ports:
+  # Jitsi
+  - "10000"
 users:
   - deploy
 sudoers: []
diff --git a/requirements.yml b/requirements.yml
index 3a7d5b3..3ec8d56 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,3 +1,4 @@
+- geerlingguy.firewall
 - geerlingguy.pip
 - geerlingguy.docker