diff --git a/map.jinja b/map.jinja
--- a/map.jinja
+++ b/map.jinja
@@ -22,9 +22,15 @@
 {% set services = salt['grains.filter_by']({
     'Debian': {
         'manager': 'systemd',
+        'firewall': 'iptables',
+    },
+    'RedHat': {
+        'manager': 'systemd',
+        'firewall': 'firewalld',
     },
     'FreeBSD' : {
         'manager': 'rc',
+        'firewall': 'pf',
     },
 }, default='Debian') %}
 
diff --git a/roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja b/roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Public</short>
+  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="ssh"/>
+  <service name="dhcpv6-client"/>
+  <service name="http"/>
+  <service name="https"/>
+{% for subnet in subnets %}
+  <rule family="ipv4">
+    <source address="{{ subnet }}" />
+    <accept />
+  </rule>
+{% endfor %}
+</zone>
diff --git a/roles/paas-docker/docker/firewall.sls b/roles/paas-docker/docker/firewall.sls
--- a/roles/paas-docker/docker/firewall.sls
+++ b/roles/paas-docker/docker/firewall.sls
@@ -0,0 +1,24 @@
+#   -------------------------------------------------------------
+#   Salt — Provision Docker engine
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Created:        2017-05-24
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, services with context %}
+
+#   -------------------------------------------------------------
+#   Firewalld
+#   -------------------------------------------------------------
+
+{% if services['firewall'] == 'firewalld' %}
+
+{{ dirs.etc }}/firewalld/zones/public.xml:
+  file.managed:
+    - source: salt://roles/paas-docker/docker/files/firewalld-zones-public.xml.jinja
+    - template: jinja
+    - context:
+        subnets: {{ salt['paas_docker.get_subnets']() }}
+
+{% endif %}
diff --git a/roles/paas-docker/docker/init.sls b/roles/paas-docker/docker/init.sls
--- a/roles/paas-docker/docker/init.sls
+++ b/roles/paas-docker/docker/init.sls
@@ -11,4 +11,5 @@
   - .storage
   - .config
   - .images
+  - .firewall
   - .networks