diff --git a/ansible/deploy.yml b/ansible/deploy.yml
index 8e522c3..ec63e93 100644
--- a/ansible/deploy.yml
+++ b/ansible/deploy.yml
@@ -10,7 +10,9 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"
 
 - name: Resolver
   hosts: resolver
diff --git a/ansible/packer.yml b/ansible/packer.yml
index 5df8ea6..9792ce7 100644
--- a/ansible/packer.yml
+++ b/ansible/packer.yml
@@ -10,7 +10,9 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"
   post_tasks:
     - name: Clean cloud-init
       ansible.builtin.command: cloud-init clean
diff --git a/ansible/roles/knot_resolver/tasks/main.yml b/ansible/roles/knot_resolver/tasks/main.yml
index e798b06..62d2614 100644
--- a/ansible/roles/knot_resolver/tasks/main.yml
+++ b/ansible/roles/knot_resolver/tasks/main.yml
@@ -19,3 +19,12 @@
     mode: "0644"
   notify:
     - Restart knot resolver
+
+- name: Allow port 53 (DNS)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  with_items:
+    - { port: "53", proto: "tcp" }
+    - { port: "53", proto: "udp" }
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
new file mode 100644
index 0000000..8f60b48
--- /dev/null
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+
+- name: Allow 22/tcp (SSH)
+  community.general.ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled