diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index b6e1f6c0af206d87420572173b6a1b4f2fcc11c8..2a193eb80a9cdd7493f92303ce0788f9a1bc2e69 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -202,6 +202,11 @@ The role implements the following:
   itself, and provided they know the exact path of the file.
 * Deploys CA certificate files, normally used for truststore purposes, to
   ``/etc/ssl/certs/``.
+* Installs ferm (for iptables management), configuring a basic firewall which
+  allows ICMP echo requests (PING), incoming connection on TCP port 22 (SSH),
+  and also introduces rate-limitting for incoming ICMP echo request pacakges and
+  (new) TCP connections. The rate-limitting is based on the source IP address,
+  using the ``iptables hashlimit`` module.
 
 
 Parameters
@@ -253,6 +258,17 @@ Parameters
   on originating (Ansible) host that should be copied to destination
   server.
 
+**incoming_connection_limit** (string, mandatory)
+  Rate at which the incoming ICMP echo-request packages and new TCP connections
+  will be accepted at. The value should be specified in the same format as value
+  for the ``iptables hashlimit`` option ``--hashlimit-upto``.
+
+**incoming_connection_limit_burst** (string, mandatory)
+  Initial burst of packages that should be accepted when the client with
+  distinct source IP address connects to the server for the first time (usually
+  higher than ``incoming_connection_limit``), even if it would go above the
+  specified connection limit.
+
 
 Examples
 ~~~~~~~~
@@ -289,6 +305,10 @@ packages on all servers:
   ca_certificates:
     - ../certs/truststore.pem
 
+  incoming_connection_limit: 2/second
+
+  incoming_connection_limit_burst: 6
+
 .. _ldap_client:
 
 LDAP Client