diff --git a/README.md b/README.md
index 5efbd08884101f434adccc282e9c32226313ff17..f0c995f0c0e7e9a04c8f01d20c228d46926c24ca 100644
--- a/README.md
+++ b/README.md
@@ -155,6 +155,7 @@ ipaserver_install_packages=no
 ipaserver_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
 
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 268f5d363f4262cb1372a85439a11c2b1a4c7f4e..85df9a7dd92610a133be9dffc92aef4629837cfe 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -19,6 +19,19 @@
       state: present
     when: ipaserver_setup_adtrust | bool
 
+  - name: Install - Ensure that firewall packages installed
+    package:
+      name: "{{ ipaserver_packages_firewalld }}"
+      state: present
+    when: ipaserver_setup_firewalld | bool
+
+  - name: Firewalld service - Ensure that firewalld is running
+    systemd:
+      name: firewalld
+      enabled: yes
+      state: started
+    when: ipaserver_setup_firewalld | bool
+
   when: ipaserver_install_packages | bool
 
 #- name: Install - Include Python2/3 import test
diff --git a/roles/ipaserver/vars/CentOS-7.yml b/roles/ipaserver/vars/CentOS-7.yml
index 079b719c0b95d50a1d844cd2ef5db058299004a9..1186375745dd9beab8e22733f7582dbb9eeb188d 100644
--- a/roles/ipaserver/vars/CentOS-7.yml
+++ b/roles/ipaserver/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-25.yml b/roles/ipaserver/vars/Fedora-25.yml
index d97afb19623abf7db4f1ac6c95ac365a9b46eb03..374056c0aa3cdff4f8a350dcc64debf1e25fe4fb 100644
--- a/roles/ipaserver/vars/Fedora-25.yml
+++ b/roles/ipaserver/vars/Fedora-25.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-26.yml b/roles/ipaserver/vars/Fedora-26.yml
index d97afb19623abf7db4f1ac6c95ac365a9b46eb03..374056c0aa3cdff4f8a350dcc64debf1e25fe4fb 100644
--- a/roles/ipaserver/vars/Fedora-26.yml
+++ b/roles/ipaserver/vars/Fedora-26.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-27.yml b/roles/ipaserver/vars/Fedora-27.yml
index fa21e34cabcb7fb2585e281d43d8b5ea17d8cf29..b8bfb5774bf5587ee8b908346f524e6ad73951fc 100644
--- a/roles/ipaserver/vars/Fedora-27.yml
+++ b/roles/ipaserver/vars/Fedora-27.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/Fedora.yml b/roles/ipaserver/vars/Fedora.yml
index 9db4446ad81fdde4d1d7be6ced459b1752c54171..55a383828196a1b810c4a3faf600944d21deeffa 100644
--- a/roles/ipaserver/vars/Fedora.yml
+++ b/roles/ipaserver/vars/Fedora.yml
@@ -1,3 +1,4 @@
 ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
-ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-7.3.yml b/roles/ipaserver/vars/RedHat-7.3.yml
index 079b719c0b95d50a1d844cd2ef5db058299004a9..1186375745dd9beab8e22733f7582dbb9eeb188d 100644
--- a/roles/ipaserver/vars/RedHat-7.3.yml
+++ b/roles/ipaserver/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-7.yml b/roles/ipaserver/vars/RedHat-7.yml
index 079b719c0b95d50a1d844cd2ef5db058299004a9..1186375745dd9beab8e22733f7582dbb9eeb188d 100644
--- a/roles/ipaserver/vars/RedHat-7.yml
+++ b/roles/ipaserver/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
 # vars/rhel.yml
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-8.yml b/roles/ipaserver/vars/RedHat-8.yml
index 5b9caac19c043c6038e661545709e9f42ac98eb1..7f5ae4644180195d9f956dd7fb2b641b992d67aa 100644
--- a/roles/ipaserver/vars/RedHat-8.yml
+++ b/roles/ipaserver/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
 ipaserver_packages: [ "@idm:DL1/server" ]
 ipaserver_packages_dns: [ "@idm:DL1/dns" ]
 ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/Ubuntu.yml b/roles/ipaserver/vars/Ubuntu.yml
index b3944a929b0573d5c469cc1d95448c36a55eb85a..d0e01ea8a0a20451821e1d0a0c043f1d78b2c3cb 100644
--- a/roles/ipaserver/vars/Ubuntu.yml
+++ b/roles/ipaserver/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/default.yml b/roles/ipaserver/vars/default.yml
index eb5c4894afbaa767d36bb2d6b2a4f0d57b0ecfe3..9f6d58a432de19fb9864d7a635f5e31581293940 100644
--- a/roles/ipaserver/vars/default.yml
+++ b/roles/ipaserver/vars/default.yml
@@ -3,3 +3,4 @@
 ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]