diff --git a/tools/firewall b/tools/firewall
new file mode 100644
index 0000000000000000000000000000000000000000..f37d2772940518d3aaa5f9333a7ddc1eb23a5e1f
--- /dev/null
+++ b/tools/firewall
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# DSI tools
+ufw allow from 195.176.241.240/29 to any port 9100 proto tcp
+ufw allow from 195.176.241.240/29 to any port 9877 proto tcp
+
+# Spice ports for running VMs
+ufw allow from any to any port 42000:48000 proto udp
+ufw allow from any to any port 42000:48000 proto tcp
+
+# nexus API
+ufw allow from any to any port 1077 proto tcp
+
+# ssh
+ufw allow from any to any port 22 proto tcp
+
+ufw enable