diff --git a/ansible/inventory/group_vars/server.yml b/ansible/inventory/group_vars/server.yml
index 834fb0c..d86bf8e 100644
--- a/ansible/inventory/group_vars/server.yml
+++ b/ansible/inventory/group_vars/server.yml
@@ -15,3 +15,7 @@ server_dotfiles:
   - src: duckdns/
     dest: duckdns/
     mode: preserve
+
+server_ufw_rules:
+  - rule: allow
+    name: OpenSSH
diff --git a/ansible/inventory/group_vars/ubuntu.yml b/ansible/inventory/group_vars/ubuntu.yml
index b1d9a12..39aa50c 100644
--- a/ansible/inventory/group_vars/ubuntu.yml
+++ b/ansible/inventory/group_vars/ubuntu.yml
@@ -1,6 +1,7 @@
 ---
 ubuntu_packages_base:
   - curl
+  - ufw
   - htop
   - fastfetch
   - build-essential
@@ -18,4 +19,5 @@ ubuntu_docker_packages:
   - docker-compose-plugin
 
 enabled_services:
+  - ufw
   - docker
diff --git a/ansible/roles/profile_server/tasks/main.yml b/ansible/roles/profile_server/tasks/main.yml
index edf1e5f..2905502 100644
--- a/ansible/roles/profile_server/tasks/main.yml
+++ b/ansible/roles/profile_server/tasks/main.yml
@@ -11,3 +11,19 @@
   loop: "{{ server_dotfiles | default([]) }}"
   loop_control:
     label: "{{ item.dest }}"
+
+- name: Apply server UFW rules
+  tags: [services, packages]
+  community.general.ufw:
+    rule: "{{ item.rule }}"
+    name: "{{ item.name | default(omit) }}"
+    port: "{{ item.port | default(omit) }}"
+    proto: "{{ item.proto | default(omit) }}"
+  loop: "{{ server_ufw_rules | default([]) }}"
+  loop_control:
+    label: "{{ item.name | default(item.port) }}"
+
+- name: Enable UFW firewall on server
+  tags: [services, packages]
+  community.general.ufw:
+    state: enabled
diff --git a/ansible/roles/profile_workstation_gnome/tasks/main.yml b/ansible/roles/profile_workstation_gnome/tasks/main.yml
index e5efaef..ca57415 100644
--- a/ansible/roles/profile_workstation_gnome/tasks/main.yml
+++ b/ansible/roles/profile_workstation_gnome/tasks/main.yml
@@ -251,3 +251,8 @@
   environment: "{{ workstation_gnome_environment }}"
   changed_when: workstation_gnome_extensions_state_changed
   when: workstation_gnome_extensions_state_changed
+
+- name: Enable UFW firewall on workstation
+  tags: [services, packages]
+  community.general.ufw:
+    state: enabled