diff --git a/pillar/FORMULAS.yaml b/pillar/FORMULAS.yaml
index 49775f1..a63fa27 100644
--- a/pillar/FORMULAS.yaml
+++ b/pillar/FORMULAS.yaml
@@ -1,6 +1,7 @@
 ---
 chrony: {}
 elasticsearch: {}
+firewalld: {}
 git: {}
 grains:
   namespace: 'tampakrap'
diff --git a/pillar/id/slimhat_infra_opensuse_org.sls b/pillar/id/slimhat_infra_opensuse_org.sls
index 91619e6..ca89bf3 100644
--- a/pillar/id/slimhat_infra_opensuse_org.sls
+++ b/pillar/id/slimhat_infra_opensuse_org.sls
@@ -1,7 +1,8 @@
 grains:
   city: QSC-nuremberg
   country: de-qsc
-  roles: []
+  roles:
+    - firewall
   hostusage:
     - IPMI access
   reboot_safe: yes
@@ -17,3 +18,45 @@ grains:
     - rklein
   partners: []
   weburls: []
+
+# Firewall configuration
+firewalld:
+  enabled: true
+  LogDenied: 'off'
+  default_zone: public
+
+  zones:
+    heroes-internal:
+      short: heroes-internal
+      description: >-
+        Internal VPN network.
+      interfaces:
+        - tun0
+      services:
+        - ssh
+    heroes-external:
+      short: heroes-external
+      description: >-
+        Special ZONE with openSUSE VPN external IP addresses, so we can
+        guarantee that we have public access to SSH in case VPN goes down, but
+        without exposing SSH to the internet.
+      sources:
+        - 195.135.221.151
+        # Backdoor of @kbabioch for the time being
+        - 24.134.156.21
+        # Backdoor of @rklein for the time being
+        - 72.14.176.247
+      services:
+        - ssh
+    # NOT USED ZONES -- let it be to keep them clear and not attached to any
+    # interface or sources and without any service declared.
+    public:
+      short: Public
+      services:
+        - ssh
+    internal:
+      short: Internal
+    work:
+      short: Work
+    trusted:
+      short: Trusted
diff --git a/salt/profile/firewall/firewalld.sls b/salt/profile/firewall/firewalld.sls
new file mode 100644
index 0000000..7fbcded
--- /dev/null
+++ b/salt/profile/firewall/firewalld.sls
@@ -0,0 +1,8 @@
+{% set osmajorrelease = salt['grains.get']('osmajorrelease') %}
+
+include:
+{% if osmajorrelease == 15 %}
+  - firewalld
+{% else %}
+  []
+{% endif %}
diff --git a/salt/profile/firewall/init.sls b/salt/profile/firewall/init.sls
new file mode 100644
index 0000000..64eb3b3
--- /dev/null
+++ b/salt/profile/firewall/init.sls
@@ -0,0 +1,2 @@
+include:
+  - profile.firewall.firewalld
diff --git a/salt/role/firewall.sls b/salt/role/firewall.sls
new file mode 100644
index 0000000..76e2011
--- /dev/null
+++ b/salt/role/firewall.sls
@@ -0,0 +1,2 @@
+include:
+  - profile.firewall