diff --git a/group_vars/all/applications.yml b/group_vars/all/applications.yml
index 40a27dd..3df2f28 100644
--- a/group_vars/all/applications.yml
+++ b/group_vars/all/applications.yml
@@ -15,11 +15,6 @@ ppm_apps:
   - on_server: ppm.pfoe.be
     user: nginx
     chicken_egg_appdefinition: ../nginx/
-    firewall_redirect:
-      - from: 8080
-        to: 80
-      - from: 8443
-        to: 443
     appconfig:
       appinfo:
         url: https://ppm.pfoe.be/ppm/nginx.git
diff --git a/roles/ppm/files/ppmfirewall b/roles/ppm/files/ppmfirewall
new file mode 100644
index 0000000..1f63bd8
--- /dev/null
+++ b/roles/ppm/files/ppmfirewall
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# PPM Firewall
+
+{% for app in otherapps -%}
+{%- if "firewall" in otherapps[app]["imports"] -%}
+{%- set oneapp = otherapps[app]["imports"]["firewall"] %}
+
+{% for redirect in oneapp.redirect %}
+# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
+iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+{% endfor %}
+{% for openport in oneapp.open %}
+# Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
+iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+{% endfor %}
diff --git a/roles/ppm/tasks/firewall.yml b/roles/ppm/tasks/firewall.yml
new file mode 100644
index 0000000..2b58d7b
--- /dev/null
+++ b/roles/ppm/tasks/firewall.yml
@@ -0,0 +1,13 @@
+- name: Configure firewall options
+  ansible.builtin.copy:
+    dest: /home/.ppmfirewalltemplate
+    group: root
+    owner: root
+    mode: "0755"
+    src: ppmfirewall
+
+- name: Render firewall
+  ansible.builtin.shell: ppm template /home/.ppmfirewalltemplate /etc/firewall.d/ppmfirewall ; chmod 755 /etc/firewall.d/ppmfirewall
+  register: firewall_render
+  changed_when: "'content did not change' not in firewall_render.stdout"
+  notify: Restart firewall
diff --git a/roles/ppm/tasks/main.yml b/roles/ppm/tasks/main.yml
index b6acf32..d8bf828 100644
--- a/roles/ppm/tasks/main.yml
+++ b/roles/ppm/tasks/main.yml
@@ -9,11 +9,5 @@
     label: "{{ ppm_app.user }}"
   when: ppm_app.on_server == inventory_hostname
 
-- name: Configure firewall options
-  ansible.builtin.template:
-    dest: /etc/firewall.d/ppmfirewall
-    group: root
-    owner: root
-    mode: "0755"
-    src: ppmfirewall.j2
-  notify: Restart firewall
+- name: Arrange firewall
+  ansible.builtin.import_tasks: firewall.yml
diff --git a/roles/ppm/tasks/ppminstall.yml b/roles/ppm/tasks/ppminstall.yml
index 3619992..022f3e8 100644
--- a/roles/ppm/tasks/ppminstall.yml
+++ b/roles/ppm/tasks/ppminstall.yml
@@ -19,6 +19,8 @@
       - python3-jsonschema
       # Git is required for checking out the app definitions
       - git
+      # Yeah we should use nftables, patches welcome. For now, we install iptables
+      - iptables
 
 - name: Create state directory
   ansible.builtin.file:
diff --git a/roles/ppm/templates/ppmfirewall.j2 b/roles/ppm/templates/ppmfirewall.j2
deleted file mode 100644
index 1682c11..0000000
--- a/roles/ppm/templates/ppmfirewall.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# PPM Firewal, written by ansible
-
-{% for ppm_app in ppm_apps %}
-# Firewall for {{ ppm_app.user }}
-{% for redirect in ppm_app.firewall_redirect | default([]) %}
-# Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})
-iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j ACCEPT
-iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j REDIRECT --to-ports {{ redirect.from }}
-{% endfor %}
-{% for openport in ppm_app.firewall_openport | default([]) %}
-# Open port {{ openport.port }} ({{ openport.proto | default('tcp') }})
-iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-{% endfor %}
-
-{% endfor %}