diff --git a/plays/pearl.yml b/plays/pearl.yml
index 7903684..1ff6819 100644
--- a/plays/pearl.yml
+++ b/plays/pearl.yml
@@ -5,7 +5,7 @@
   roles:
     - 'any.common.python'
     - 'any.common.ssh'
-  tags: [base, first]
+  tags: first
 
 - hosts: pearl
   become: true
@@ -13,7 +13,7 @@
     - 'any.common.debian-repositories'
     - 'any.common.debian-user'
     - 'any.tools.default'
-    - 'any.tools.docker'
+    - 'any.tools.ufw'
     - 'any.tools.restic'
     - 'any.tools.caddy'
   tags: base
diff --git a/roles/any.tools.caddy/tasks/main.yml b/roles/any.tools.caddy/tasks/main.yml
index f9a30e4..b564163 100644
--- a/roles/any.tools.caddy/tasks/main.yml
+++ b/roles/any.tools.caddy/tasks/main.yml
@@ -34,3 +34,10 @@
     state: started
     enabled: true
 
+- name: Open HTTP ports in firewall
+  community.general.ufw:
+    port: '{{ item }}'
+    rule: 'allow'
+  loop:
+    - 'http'
+    - 'https'
diff --git a/roles/any.tools.ufw/tasks/main.yml b/roles/any.tools.ufw/tasks/main.yml
new file mode 100644
index 0000000..6c00c98
--- /dev/null
+++ b/roles/any.tools.ufw/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Ensure UFW is installed
+  apt:
+    name: ufw
+    state: present
+
+- name: Set default policy to deny
+  community.general.ufw:
+    default: 'deny'
+
+- name: Allow SSH connections
+  community.general.ufw:
+    port: 2222
+    rule: 'allow'
+
+- name: Ensure UFW is enabled
+  community.general.ufw:
+    state: 'enabled'