diff --git a/bench/cli.py b/bench/cli.py
old mode 100644
new mode 100755
index 56e0bec6..033a272a
--- a/bench/cli.py
+++ b/bench/cli.py
@@ -47,7 +47,7 @@ def check_uid():
 		sys.exit(1)
 
 def cmd_requires_root():
-	if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx'):
+	if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', 'reload-nginx', 'firewall'):
 	    return True
 	if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production'):
 	    return True
diff --git a/bench/commands/setup.py b/bench/commands/setup.py
index f2d8fe2d..5f7a8650 100755
--- a/bench/commands/setup.py
+++ b/bench/commands/setup.py
@@ -75,6 +75,14 @@ def setup_env():
 	from bench.utils import setup_env
 	setup_env()
 
+@click.command('firewall')
+def setup_firewall():
+	"Setup firewall"
+	from bench.utils import run_playbook
+	click.confirm('Setting up the firewall will block all ports except 80, 443 and 22\n'
+		'Do you want to continue?',
+		abort=True)
+	run_playbook('production/setup_firewall.yml')
 
 @click.command('lets-encrypt')
 @click.argument('site')
@@ -171,3 +179,4 @@ setup.add_command(setup_fonts)
 setup.add_command(add_domain)
 setup.add_command(remove_domain)
 setup.add_command(sync_domains)
+setup.add_command(setup_firewall)
diff --git a/bench/utils.py b/bench/utils.py
index 5fed8246..2ecc6ec6 100755
--- a/bench/utils.py
+++ b/bench/utils.py
@@ -684,4 +684,11 @@ def set_git_remote_url(git_url, bench_path='.'):
 
 	app_dir = bench.app.get_repo_dir(app, bench_path=bench_path)
 	if os.path.exists(os.path.join(app_dir, '.git')):
-		exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
\ No newline at end of file
+		exec_cmd("git remote set-url upstream {}".format(git_url), cwd=app_dir)
+
+def run_playbook(playbook_name):
+	if not find_executable('ansible'):
+		print "Ansible is needed to run this command, please install it using 'pip install ansible'"
+		sys.exit(1)
+	args = ['ansible-playbook', '-c', 'local', playbook_name]
+	subprocess.check_call(args, cwd=os.path.join(os.path.dirname(bench.__path__[0]), 'playbooks'))
diff --git a/playbooks/production/setup_firewall.yml b/playbooks/production/setup_firewall.yml
new file mode 100755
index 00000000..00b6b893
--- /dev/null
+++ b/playbooks/production/setup_firewall.yml
@@ -0,0 +1,43 @@
+- name: Setup Firewall
+  user: root
+  hosts: localhost
+
+  tasks:
+      # For CentOS
+    - name: Install firewalld
+      yum: name=firewalld state=present
+      when: ansible_distribution == 'CentOS'
+
+    - name: Enable Firewall
+      service: name=firewalld state=started enabled=yes
+      when: ansible_distribution == 'CentOS'
+
+    - name: Add firewall rules
+      firewalld: port={{ item }}/tcp permanent=true state=enabled
+      with_items:
+        - 80
+        - 443
+        - 22
+      when: ansible_distribution == 'CentOS'
+
+    - name: Restart Firewall
+      service: name=firewalld state=restarted enabled=yes
+      when: ansible_distribution == 'CentOS'
+
+      # For Ubuntu / Debian
+    - name: Install ufw
+      apt: name=ufw state=present
+      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
+    - name: Enable Firewall
+      ufw: state=enabled policy=deny
+      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
+    - name: Add firewall rules
+      ufw: rule=allow proto=tcp port={{ item }}
+      with_items:
+        - 80
+        - 443
+        - 22
+      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+