diff --git a/re2o.yml b/re2o.yml
index 4fb8669a..dd6364ca 100644
--- a/re2o.yml
+++ b/re2o.yml
@@ -46,3 +46,8 @@
 - hosts: odlyd.adm.crans.org,dhcp.adm.crans.org
   roles:
     - re2o-dhcp
+
+# Deploy re2o firewall on servers
+- hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org,zamok.adm.crans.org,routeur.adm.crans.org
+  roles:
+    - re2o-firewall
diff --git a/roles/re2o-firewall/tasks/main.yml b/roles/re2o-firewall/tasks/main.yml
new file mode 100644
index 00000000..7e3741b4
--- /dev/null
+++ b/roles/re2o-firewall/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: Create re2o-firewall directory
+  file:
+    path: /var/local/re2o-services/firewall
+    state: directory
+    mode: '2775'
+    owner: root
+    group: nounou
+
+- name: Set ACL for re2o-firewall directory
+  acl:
+    path: /var/local/re2o-services/firewall
+    default: yes
+    entity: nounou
+    etype: group
+    permissions: rwx
+    state: query
+
+- name: Clone re2o-firewall repository
+  git:
+    repo: 'http://gitlab.adm.crans.org/nounous/re2o-firewall.git'
+    dest: /var/local/re2o-services/firewall
+    version: crans
+    umask: '002'
+
+- name: Create symbolic link to configuration
+  file:
+    src: /var/local/re2o-services/config.ini
+    dest: /var/local/re2o-services/firewall/config.ini
+    owner: root
+    group: root
+    state: link
+
+- name: Deploy cron for re2o-firewall
+  template:
+    src: cron.d/re2o-services-firewall.j2
+    dest: /etc/cron.d/re2o-services-firewall
diff --git a/roles/re2o-firewall/templates/cron.d/re2o-services-firewall.j2 b/roles/re2o-firewall/templates/cron.d/re2o-services-firewall.j2
new file mode 100644
index 00000000..2565d92e
--- /dev/null
+++ b/roles/re2o-firewall/templates/cron.d/re2o-services-firewall.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+*/2 * * * * root /usr/bin/python3 /var/local/re2o-services/firewall/main.py
+@reboot root /usr/bin/python3 /var/local/re2o-services/firewall/main.py --force