diff --git a/Puppetfile b/Puppetfile
index c0de1ee..4db5750 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -16,7 +16,7 @@ mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.1', git: 'https://github.c
 # mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony'
 mod 'ncsa/profile_dns_cache', tag: 'v1.0.0', git: 'https://github.com/ncsa/puppet-profile_dns_cache'
 # mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email'
-mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall'
+mod 'ncsa/profile_firewall', tag: 'v1.0.2', git: 'https://github.com/ncsa/puppet-profile_firewall'
 mod 'ncsa/profile_monitoring', tag: 'v0.1.5', git: 'https://github.com/ncsa/puppet-profile_monitoring'
 mod 'ncsa/profile_motd', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_motd'
 mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access'
@@ -33,8 +33,7 @@ mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegra
 # mod 'puppet/rsyslog', '5.0.1'
 # mod 'puppetlabs/apt', '7.3.0'
 mod 'puppetlabs/concat', '6.4.0'
-mod 'puppetlabs/firewall', '2.5.0'
-#mod 'puppetlabs-firewall', '2.8.0'
+mod 'puppetlabs/firewall', '3.0.0'
 # mod 'puppetlabs/inifile', '4.1.0'
 # mod 'puppetlabs/mailalias_core', '1.0.6'
 mod 'puppetlabs/stdlib', '6.3.0'
diff --git a/data/role/puppet_master.yaml b/data/role/puppet_master.yaml
new file mode 100644
index 0000000..825abf4
--- /dev/null
+++ b/data/role/puppet_master.yaml
@@ -0,0 +1,13 @@
+---
+profile_firewall::ignores:
+  DOCKER:filter:IPv4: "*"
+  DOCKER-ISOLATION-STAGE-1:filter:IPv4: "*"
+  DOCKER-ISOLATION-STAGE-2:filter:IPv4: "*"
+  DOCKER-USER:filter:IPv4: "*"
+  FORWARD:filter:IPv4: ["docker", "DOCKER", "-o"]
+  DOCKER:nat:IPv4: "*"
+  PREROUTING:nat:IPv4: "-m addrtype --dst-type LOCAL -j DOCKER"
+  POSTROUTING:nat:IPv4: ["172.17", "172.18", "172.19"]
+  OUTPUT:nat:IPv4: "-d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER"
+
+profile_firewall::purge_all: false
diff --git a/site-modules/profile/manifests/base.pp b/site-modules/profile/manifests/base.pp
index 8b42c88..faa2619 100644
--- a/site-modules/profile/manifests/base.pp
+++ b/site-modules/profile/manifests/base.pp
@@ -6,6 +6,7 @@ class profile::base {
   include ::profile_allow_ssh_from_bastion
   include ::profile_dns_cache
 #  include ::profile_email
+  include ::profile_firewall
   include ::profile_monitoring
   include ::profile_motd
   include ::profile_pam_access