diff --git a/provision/ansible/roles/prepare/tasks/network.yml b/provision/ansible/roles/prepare/tasks/network.yml
index 9061ba16..acfe918d 100644
--- a/provision/ansible/roles/prepare/tasks/network.yml
+++ b/provision/ansible/roles/prepare/tasks/network.yml
@@ -37,3 +37,44 @@
       net.bridge.bridge-nf-call-ip6tables: 1
       net.ipv4.conf.default.rp_filter: 0
       net.ipv4.conf.all.rp_filter: 0
+
+- name: UFW - Allow incoming
+  community.general.ufw:
+    direction: incoming
+    default: allow
+
+- name: UFW - Allow outgoing
+  community.general.ufw:
+    direction: outgoing
+    default: allow
+
+- name: UFW - Limit SSH
+  community.general.ufw:
+    rule: limit
+    port: ssh
+    proto: tcp
+
+#- name: UFW - Allow k3s
+#  community.general.ufw:
+#    rule: allow
+#    port: 6443
+#    proto: tcp
+
+#- name: Allow all access from RFC1918 networks to this host
+#  community.general.ufw:
+#    rule: allow
+#    src: '{{ item }}'
+#  loop:
+#    - 10.0.0.0/8
+#    - 172.16.0.0/12
+#    - 192.168.0.0/16
+
+- name: UFW - Deny portmapper
+  community.general.ufw:
+    rule: deny
+    port: '111'
+    proto: any
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled