diff --git a/roles/fw-ferm/files/ferm2.conf b/roles/fw-ferm/files/ferm2.conf
new file mode 100644
index 0000000..5d5d94f
--- /dev/null
+++ b/roles/fw-ferm/files/ferm2.conf
@@ -0,0 +1,47 @@
+# -*- shell-script -*-
+
+@def $DEV_VPN= wg0;
+
+table filter {
+    chain INPUT {
+        policy DROP;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # allow local connections
+        interface lo ACCEPT;
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh DROP;
+        }
+    }#FIN INPUT
+
+    # outgoing connections are not limited
+    chain OUTPUT {
+        policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh ACCEPT;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+     }#FIN OUTPUT
+
+    chain FORWARD {
+        policy ACCEPT;
+
+        # connection tracking
+        mod state state INVALID DROP;
+        mod state state (ESTABLISHED RELATED) ACCEPT;
+
+        # connections from the internal net to the internet or to other
+        # internal nets are allowed
+        interface $DEV_VPN ACCEPT;
+
+        # the rest is dropped by the above policy
+    }#FIN FO
+}