diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index 47e3508..8e465eb 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -6,5 +6,16 @@
 class confdroid_gitea::firewall::iptables (
 
 ) inherits confdroid_gitea::params {
-  
+  if $ga_use_firewall == true {
+    firewall { "${ga_order_prefix}${ga_http_port} allow gitea http port ${ga_http_port}":
+      proto => 'tcp',
+      dport => $ga_http_port,
+      jump  => 'accept',
+    }
+    firewall { "${ga_order_prefix}${ga_ssh_port} allow gitea ssh port ${ga_ssh_port}":
+      proto => 'tcp',
+      dport => $ga_ssh_port,
+      jump  => 'accept',
+    }
+  }
 }
diff --git a/manifests/main/service.pp b/manifests/main/service.pp
index be141bc..6a4e740 100644
--- a/manifests/main/service.pp
+++ b/manifests/main/service.pp
@@ -8,5 +8,4 @@ class confdroid_gitea::main::service (
 ) inherits confdroid_gitea::params {
   require confdroid_gitea::firewall::iptables
   require confdroid_gitea::main::dirs
-
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index f9b985b..06ad4e3 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -2,9 +2,19 @@
 # Module name: confdroid_gitea
 # Author: 12ww1160 (12ww1160@confdroid.com)
 # @summary holds all parameters for the confdroid_gitea Puppet module.
+# @param [Boolean] ga_use_firewall Whether to enable firewall rules for Gitea.
+# @param [String] ga_http_port The main port number for Gitea.
+# @param [String] ga_ssh_port The SSH port number for Gitea.
+# @param [String] ga_order_prefix The order prefix for firewall rules.
 ##############################################################################
 class confdroid_gitea::params (
 
+  # firewall
+  Boolean $ga_use_firewall  = true,
+  String $ga_http_port      = '3000',
+  String $ga_ssh_port       = '22',
+  String $ga_order_prefix   = '50',
+
 ) {
 # facts
   $fqdn                             = $facts['networking']['fqdn']