diff --git a/firewall.tf b/firewall.tf
new file mode 100644
index 0000000..14b51c7
--- /dev/null
+++ b/firewall.tf
@@ -0,0 +1,62 @@
+resource "hcloud_firewall" "forgejo-fw" {
+  name = "forgejo-fw"
+  rule {
+    direction = "in"
+    protocol = "icmp"
+    source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+    ]
+    description = "icmp"
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "22"
+    source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+    ]
+    description = "ssh forgejo"
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "50001"
+    source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+    ]
+    description = "ssh os"
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "80"
+    source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+    ]
+    description = "http"
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "443"
+    source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+    ]
+    description = "https"
+  }
+  rule {
+    direction = "in"
+    protocol = "tcp"
+    port = "9100"
+    source_ips = [
+        "0.0.0.0/0",
+        "::/0"
+    ]
+    description = "node_exporter"
+  }
+}
diff --git a/main.tf b/main.tf
index e893ff1..1258121 100644
--- a/main.tf
+++ b/main.tf
@@ -15,6 +15,7 @@ resource "hcloud_server" "production" {
   })
   delete_protection = true
   rebuild_protection = true
+  firewall_ids = [hcloud_firewall.forgejo-fw.id]
 }
 
 # Set RDNS entry of production server IPv4
diff --git a/staging.tf b/staging.tf
index 842f2b2..aa3f7ad 100644
--- a/staging.tf
+++ b/staging.tf
@@ -35,6 +35,7 @@ resource "hcloud_server" "staging" {
     ipv4 = hcloud_primary_ip.staging-ipv4.id
     ipv6 = hcloud_primary_ip.staging-ipv6.id
   }
+  firewall_ids = [hcloud_firewall.forgejo-fw.id]
 }
 
 # Set RDNS entry of staging server IPv4