diff --git a/.gitmodules b/.gitmodules
index 8c2af5e..4c70729 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -34,3 +34,9 @@
 [submodule "roles/goaccess"]
 	path = roles/goaccess
 	url = https://github.com/roles-ansible/ansible_role_goaccess.git
+[submodule "roles/geerlingguy.firewall"]
+	path = roles/geerlingguy.firewall
+	url = https://github.com/geerlingguy/ansible-role-firewall.git
+[submodule "roles/robertdebock.fail2ban"]
+	path = roles/robertdebock.fail2ban
+	url = https://github.com/robertdebock/ansible-role-fail2ban.git
diff --git a/host_vars/web01.l3d.space.yml b/host_vars/web01.l3d.space.yml
index a65343d..816a5ab 100644
--- a/host_vars/web01.l3d.space.yml
+++ b/host_vars/web01.l3d.space.yml
@@ -32,5 +32,12 @@ nginx_sites:
   - name: 'c3woc.cn'
   - name: 'www.c3woc.cn'
 
-
 acme_notification_email: "acme_{{ inventory_hostname }}@l3d.yt"
+
+# firewall
+firewall_allowed_tcp_ports:
+  - "22"
+  - "25"
+  - "80"
+  - "443"
+fail2ban_destemail: "fail2ban_notify_{{ inventory_hostname }}@l3d.yt"
diff --git a/roles/geerlingguy.firewall b/roles/geerlingguy.firewall
new file mode 160000
index 0000000..adb052a
--- /dev/null
+++ b/roles/geerlingguy.firewall
@@ -0,0 +1 @@
+Subproject commit adb052a45012227b217555c528f3213659c9f553
diff --git a/roles/robertdebock.fail2ban b/roles/robertdebock.fail2ban
new file mode 160000
index 0000000..a354bc9
--- /dev/null
+++ b/roles/robertdebock.fail2ban
@@ -0,0 +1 @@
+Subproject commit a354bc92a63853b8d16a6292b0d9d629e18c2f95
diff --git a/site.yml b/site.yml
index 45ca31f..7cfd99d 100644
--- a/site.yml
+++ b/site.yml
@@ -14,6 +14,8 @@
     - { role: dotfiles, tags: [default,dotfiles]}
     - { role: ssh_auth, tags: [default,users]}
     - { role: sshd, tags: [default,users]}
+    - { role: geerlingguy.firewall, tags: [default,firewall], become: true}
+    - { role: robertdebock.fail2ban, tags: [default,fail2ban], become: true}
 
 - name: deploy web config
   hosts: web