diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 2a193eb80a9cdd7493f92303ce0788f9a1bc2e69..c4b705d2899738fd615768cf0d25828de4e3841d 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -202,11 +202,11 @@ The role implements the following:
   itself, and provided they know the exact path of the file.
 * Deploys CA certificate files, normally used for truststore purposes, to
   ``/etc/ssl/certs/``.
-* Installs ferm (for iptables management), configuring a basic firewall which
-  allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH),
-  and also introduces rate-limitting for incoming ICMP echo request pacakges and
-  (new) TCP connections. The rate-limitting is based on the source IP address,
-  using the ``iptables hashlimit`` module.
+* Installs ``ferm`` (for iptables management), configuring a basic firewall
+  which allows ICMP echo requests (PING), incoming connection on TCP port 22
+  (SSH), and also introduces rate-limitting for incoming ICMP echo request
+  pacakges and (new) TCP connections. The rate-limitting is based on the source
+  IP address, using the ``iptables hashlimit`` module.
 
 
 Parameters
@@ -388,6 +388,7 @@ The role implements the following:
   attribute will update corresponding group as well.
 * Configures permissions.
 * Creates LDAP entries.
+* Configures firewall to allow incoming connections to the LDAP server.
 
 
 Parameters
@@ -522,6 +523,7 @@ The role implements the following:
 * Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
+* Configures firewall to allow incoming connections to the XMPP server.
 
 Prosody is configured as follows:
 
@@ -636,6 +638,9 @@ The role implements the following:
 * Purges Exim4 configuration (just in case).
 * Installs SWAKS (utility for testing SMTP servers).
 * Sets-up the necessary directories and files under Postfix chroot.
+* Configures firewall to allow incoming connections to the mail server. This
+  includes set-up of redirection from TCP port 26 to TCP port 25 (alternate SMTP
+  to work around common network blocks).
 
 Deployed services are configured as follows:
 
diff --git a/roles/ldap_server/files/ferm_ldap.conf b/roles/ldap_server/files/ferm_ldap.conf
new file mode 100644
index 0000000000000000000000000000000000000000..bcbd7625133a841d82202f54aad849eeddf30646
--- /dev/null
+++ b/roles/ldap_server/files/ferm_ldap.conf
@@ -0,0 +1,5 @@
+table filter {
+    chain INPUT {
+        proto tcp dport 389 ACCEPT;
+    }
+}
\ No newline at end of file
diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml
index 63e6860f73bf6e14429b76cd27ad2d42a974804f..ca3ee194d006759526f2220463f8ccc8a0d49665 100644
--- a/roles/ldap_server/tasks/main.yml
+++ b/roles/ldap_server/tasks/main.yml
@@ -74,3 +74,8 @@
   ldap_entry: ""
   args: "{{ item }}"
   with_items: ldap_entries
+
+- name: Deploy firewall configuration for LDAP
+  copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640
+  notify:
+    - Restart ferm
\ No newline at end of file
diff --git a/roles/mail_server/files/ferm_mail.conf b/roles/mail_server/files/ferm_mail.conf
new file mode 100644
index 0000000000000000000000000000000000000000..f14eaae24cae3bfaac914c41bd40a4c521d5c2d0
--- /dev/null
+++ b/roles/mail_server/files/ferm_mail.conf
@@ -0,0 +1,20 @@
+table filter {
+    chain INPUT {
+        # SMTP (with alternative port)
+        proto tcp dport 25 ACCEPT;
+        proto tcp dport 26 ACCEPT;
+        # IMAP
+        proto tcp dport 143 ACCEPT;
+        proto tcp dport 993 ACCEPT;
+        # ManageSieve
+        proto tcp dport 4190 ACCEPT;
+    }
+}
+
+table nat {
+    chain PREROUTING {
+        # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks
+        # etc).
+        proto tcp dport 26 REDIRECT to-ports 25;
+    }
+}
diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml
index c853b940e3ccb0e799a7320cf4a2e1096d57930a..fe6d1e0e73e65509192b01f58f96ef006804e4e1 100644
--- a/roles/mail_server/tasks/main.yml
+++ b/roles/mail_server/tasks/main.yml
@@ -137,3 +137,8 @@
 
 - name: Enable Dovecot service
   service: name=dovecot enabled=yes state=started
+
+- name: Deploy firewall configuration for mail server
+  copy: src="ferm_mail.conf" dest="/etc/ferm/conf.d/20-mail.conf" owner=root group=root mode=640
+  notify:
+    - Restart ferm
\ No newline at end of file
diff --git a/roles/prosody/files/ferm_xmpp.conf b/roles/prosody/files/ferm_xmpp.conf
new file mode 100644
index 0000000000000000000000000000000000000000..2804a84a246632355ad12ab66c75ed19723e8f40
--- /dev/null
+++ b/roles/prosody/files/ferm_xmpp.conf
@@ -0,0 +1,11 @@
+table filter {
+    chain INPUT {
+        # XMPP client connections.
+        proto tcp dport 5222 ACCEPT;
+        proto tcp dport 5223 ACCEPT;
+        # File proxying.
+        proto tcp dport 5000 ACCEPT;
+        # XMPP server connections.
+        proto tcp dport 5269 ACCEPT;
+    }
+}
\ No newline at end of file
diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml
index 596c50c343544b0ddcdaeb4d203765bbc6112776..cb3017e4afd21c80c179a895fd54016c64efa87c 100644
--- a/roles/prosody/tasks/main.yml
+++ b/roles/prosody/tasks/main.yml
@@ -48,4 +48,9 @@
     - Restart Prosody
 
 - name: Enable and start Prosody service
-  service: name=prosody state=started
\ No newline at end of file
+  service: name=prosody state=started
+
+- name: Deploy firewall configuration for XMPP server
+  copy: src="ferm_xmpp.conf" dest="/etc/ferm/conf.d/30-xmpp.conf" owner=root group=root mode=640
+  notify:
+    - Restart ferm
\ No newline at end of file