diff --git a/tfclient/src/config.rs b/tfclient/src/config.rs
index c14e62e..0ada404 100644
--- a/tfclient/src/config.rs
+++ b/tfclient/src/config.rs
@@ -125,7 +125,8 @@ pub struct NebulaConfig {
     #[serde(skip_serializing_if = "is_none")]
     pub sshd: Option<NebulaConfigSshd>,
 
-    // FIREWALL
+    #[serde(skip_serializing_if = "is_none")]
+    pub firewall: Option<NebulaConfigFirewall>,
 
     #[serde(default = "u64_1")]
     #[serde(skip_serializing_if = "is_u64_1")]
@@ -395,7 +396,73 @@ pub struct NebulaConfigStatsPrometheus {
     pub lighthouse_metrics: bool
 }
 
+#[derive(Serialize, Deserialize)]
+pub struct NebulaConfigFirewall {
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub conntrack: Option<NebulaConfigFirewallConntrack>,
+
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub inbound: Option<Vec<NebulaConfigFirewallRule>>,
+
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub outbound: Option<Vec<NebulaConfigFirewallRule>>,
+}
+
+#[derive(Serialize, Deserialize)]
+pub struct NebulaConfigFirewallConntrack {
+    #[serde(default = "string_12m")]
+    #[serde(skip_serializing_if = "is_string_12m")]
+    pub tcp_timeout: String,
+    #[serde(default = "string_3m")]
+    #[serde(skip_serializing_if = "is_string_3m")]
+    pub udp_timeout: String,
+    #[serde(default = "string_10m")]
+    #[serde(skip_serializing_if = "is_string_10m")]
+    pub default_timeout: String
+}
+
+#[derive(Serialize, Deserialize)]
+pub struct NebulaConfigFirewallRule {
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub port: Option<String>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub proto: Option<String>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub ca_name: Option<String>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub ca_sha: Option<String>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub host: Option<String>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub group: Option<String>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub groups: Option<Vec<String>>,
+    #[serde(default = "none")]
+    #[serde(skip_serializing_if = "is_none")]
+    pub cidr: Option<String>
+}
+
 // Default values for serde
+
+fn string_12m() -> String { "12m".to_string() }
+fn is_string_12m(s: &str) -> bool { s == "12m" }
+
+fn string_3m() -> String { "3m".to_string() }
+fn is_string_3m(s: &str) -> bool { s == "3m" }
+
+fn string_10m() -> String { "10m".to_string() }
+fn is_string_10m(s: &str) -> bool { s == "10m" }
+
 fn empty_vec<T>() -> Vec<T> { vec![] }
 fn is_empty_vec<T>(v: &Vec<T>) -> bool { v.is_empty() }