diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
new file mode 100644
index 0000000..b6f44c5
--- /dev/null
+++ b/manifests/firewall/iptables.pp
@@ -0,0 +1,16 @@
+# prometheus_cd::firewall::iptables.pp
+# Module name: prometheus_cd
+# Author: Arne Teuke (arne_teuke@confdroid.com)
+# @summary Class manages the firewall rules for the prometheus_cd module.
+##############################################################################
+class prometheus_cd::firewall::iptables (
+) inherits prometheus_cd::params {
+  if  ($ps_prom_host == $fqdn) and ($ps_manage_fw == true) {
+    # main port
+    firewall { "${ps_fw_prefix}${$ps_main_port} main port":
+      proto => 'tcp',
+      dport => $ps_main_port,
+      jump  => 'accept',
+    }
+  }
+}
diff --git a/manifests/main/dirs.pp b/manifests/main/dirs.pp
index 7dd7f55..3c24a54 100644
--- a/manifests/main/dirs.pp
+++ b/manifests/main/dirs.pp
@@ -6,4 +6,16 @@
 class prometheus_cd::main::dirs (
 ) inherits prometheus_cd::params {
   require prometheus_cd::main::install
+  if $ps_prom_host == fqdn {
+    file { $ps_main_dir:
+      ensure   => directory,
+      owner    => 'root',
+      group    => 'root',
+      mode     => '0755',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+    }
+  }
 }
diff --git a/manifests/main/service.pp b/manifests/main/service.pp
index 42edb47..26eaeaf 100644
--- a/manifests/main/service.pp
+++ b/manifests/main/service.pp
@@ -6,7 +6,8 @@
 class prometheus_cd::main::service (
 ) inherits prometheus_cd::params {
   require prometheus_cd::main::files
-  if $manage_prometheus == true {
+  require prometheus_cd::firewall::iptables
+  if  ($ps_prom_host == $fqdn) and ($manage_prometheus == true) {
     service { 'prometheus':
       ensure     => running,
       hasstatus  => true,
diff --git a/manifests/params.pp b/manifests/params.pp
index 846c3aa..3e04ed9 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -7,14 +7,27 @@
 # @param [String] pkg_ensure which version of the package to install
 # @param [boolean] manage_prometheus whether to manage prometheus
 # @param [boolean] manage_node_exporter whether to manage node exporter
+# @param [boolean] ps_manage_fw whether to manage the firewall
+# @param [String] ps_prom_host the fqdn of the prometheus server
+# @param [String] ps_fw_prefix the firewall rule prefix
+# @param [String] ps_main_port the firewall main port for prometheus
 ##############################################################################
 class prometheus_cd::params (
 
+  # installation
   String $reqpackage_prom       = 'prometheus2',
   String $reqpackage_ne         = 'node_exporter',
   String $pkg_ensure            = 'present',
+
+  # config logic
   Boolean $manage_prometheus    = false,
   Boolean $manage_node_exporter = false,
+  Boolean $ps_manage_fw         = false,
+  String $ps_prom_host          = 'prometheus.example.net',
+
+  # firewall
+  String $ps_fw_prefix          = '50',
+  String $ps_main_port          = '9090',
 
 ) {
   # defaults
@@ -23,6 +36,9 @@ class prometheus_cd::params (
   $os_name                = $facts['os']['name']
   $os_release             = $facts['os']['release']['major']
 
+  # dirs
+  $ps_main_dir            = '/etc/prometheus'
+
   # includes must be last
   include prometheus_cd::main::config
 }
diff --git a/templates/prometheus.yaml b/templates/prometheus.yaml
new file mode 100644
index 0000000..7092154
--- /dev/null
+++ b/templates/prometheus.yaml
@@ -0,0 +1,34 @@
+global:
+  scrape_interval: 60s
+  scrape_timeout: 10s
+  evaluation_interval: 15s
+storage:
+  tsdb:
+    out_of_order_time_window: 5m
+alerting:
+  alertmanagers:
+  - follow_redirects: true
+    scheme: http
+    timeout: 10s
+    api_version: v2
+    static_configs:
+    - targets: []
+scrape_configs:
+- job_name: prometheus
+  honor_timestamps: true
+  scrape_interval: 60s
+  scrape_timeout: 10s
+  metrics_path: /metrics
+  scheme: http
+  follow_redirects: true
+  static_configs:
+  - targets:
+    - localhost:9090
+  basic_auth:
+      username_file: /etc/prometheus/secrets/prometheus-auth/username
+      password_file: /etc/prometheus/secrets/prometheus-auth/password
+remote_write:
+  - url: "http://localhost:9090/api/v1/write"
+    basic_auth:
+      username_file: /etc/prometheus/secrets/prometheus-auth/username
+      password_file: /etc/prometheus/secrets/prometheus-auth/password
\ No newline at end of file