diff --git a/deploy.sh b/deploy.sh
index 2a36b0e..70095a1 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -2,6 +2,11 @@
 
 BASE_CMD="ansible-playbook playbook.yml --ask-vault-pass"
 
+if [ -z "$(ansible-galaxy collection list community.general 2>/dev/null)" ]; then
+    echo "Installing community modules"
+    ansible-galaxy collection install community.general
+fi
+
 if [ -z "$1" ]; then
     echo "Deploying all!"
     $BASE_CMD
diff --git a/roles/ubuntu_base/tasks/base.yml b/roles/ubuntu_base/tasks/base.yml
index 257352b..f4ed43f 100644
--- a/roles/ubuntu_base/tasks/base.yml
+++ b/roles/ubuntu_base/tasks/base.yml
@@ -9,6 +9,7 @@
     - apparmor
     - haveged
     - mosh
+    - ufw
     - srvadmin-all # Dell OpenManage
 
 - name: Install necessary packages via pip
diff --git a/roles/ubuntu_base/tasks/firewall.yml b/roles/ubuntu_base/tasks/firewall.yml
new file mode 100644
index 0000000..f431865
--- /dev/null
+++ b/roles/ubuntu_base/tasks/firewall.yml
@@ -0,0 +1,20 @@
+---
+- name: Setup firewall with UFW
+  community.general.ufw: 
+    state: enabled
+    policy: deny
+- name: Allow necessary ports
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+  loop:
+    - "22/tcp"     # Gitea SSH
+    - "80/tcp"     # HTTP
+    - "443/tcp"    # HTTPS
+    - "389/tcp"    # OpenLDAP
+    - "636/tcp"    # OpenLDAP
+    - "25/tcp"     # Email
+    - "465/tcp"    # Email
+    - "587/tcp"    # Email
+    - "993/tcp"    # Email
+    - "19022/tcp"  # SSH
diff --git a/roles/ubuntu_base/tasks/main.yml b/roles/ubuntu_base/tasks/main.yml
index d6d34a4..dddc508 100644
--- a/roles/ubuntu_base/tasks/main.yml
+++ b/roles/ubuntu_base/tasks/main.yml
@@ -7,4 +7,6 @@
   tags: [install-base-packages]
 - import_tasks: users.yml
   tags: [setup-users]
+- import_tasks: firewall.yml
+  tags: [setup-firewall]