diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 96d57c0..72b974a 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -351,6 +351,7 @@ profiles::ceph::client::mons:
 #      - prodinf01n22
 #      - repos.main.unkin.net
 
+firewall::enable: true
 firewall::ipset_queries:
   certbot: "enc_role=roles::infra::pki::certbot"
   cobbler: "enc_role=roles::infra::cobbler::server"
diff --git a/modules/firewall/manifests/init.pp b/modules/firewall/manifests/init.pp
index dd540d9..5479d59 100644
--- a/modules/firewall/manifests/init.pp
+++ b/modules/firewall/manifests/init.pp
@@ -1,26 +1,29 @@
 # manage the firewall
 class firewall (
+  Boolean $enable = false,
   Hash $ipset_queries = {},
 ){
 
-  $ipset_queries.each |$ipset, $query| {
-    $ips = sort(query_nodes($query, 'networking.ip'))
+  if $enable {
+    $ipset_queries.each |$ipset, $query| {
+      $ips = sort(query_nodes($query, 'networking.ip'))
 
-    nftables::set{$ipset:
-      type     => 'ipv4_addr',
-      flags    => ['dynamic'],
-      elements => $ips,
+      nftables::set{$ipset:
+        type     => 'ipv4_addr',
+        flags    => ['dynamic'],
+        elements => $ips,
+      }
+    }
+
+    class {'nftables':
+      in_ssh    => false,
+      in_icmp   => true,
+      out_ntp   => false,
+      out_dns   => false,
+      out_http  => false,
+      out_https => false,
+      out_icmp  => true,
+      out_all   => false,
     }
   }
-
-  class {'nftables':
-    in_ssh    => false,
-    in_icmp   => true,
-    out_ntp   => false,
-    out_dns   => false,
-    out_http  => false,
-    out_https => false,
-    out_icmp  => true,
-    out_all   => false,
-  }
 }