diff --git a/DockerEnv b/DockerEnv
index ef6310375..282393804 100644
--- a/DockerEnv
+++ b/DockerEnv
@@ -4,6 +4,7 @@
 #OPENVPN_USERNAME=
 #OPENVPN_PASSWORD=
 #LOCAL_NETWORK=
+#ENABLE_UFW=false
 #TRANSMISSION_ALT_SPEED_DOWN=50 
 #TRANSMISSION_ALT_SPEED_ENABLED=false 
 #TRANSMISSION_ALT_SPEED_TIME_BEGIN=540 
@@ -75,4 +76,4 @@
 #TRANSMISSION_UTP_ENABLED=true 
 #TRANSMISSION_WATCH_DIR=/data/watch 
 #TRANSMISSION_WATCH_DIR_ENABLED=true 
-#TRANSMISSION_HOME=/data/transmission-home
\ No newline at end of file
+#TRANSMISSION_HOME=/data/transmission-home
diff --git a/Dockerfile b/Dockerfile
index 3243c0f2e..482c7f3ba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ VOLUME /config
 
 # Update packages and install software
 RUN apt-get update \
-    && apt-get -y install software-properties-common \
+    && apt-get -y install software-properties-common ufw \
     && add-apt-repository multiverse \
     && add-apt-repository ppa:transmissionbt/ppa \
     && apt-get update \
@@ -103,6 +103,7 @@ ENV OPENVPN_USERNAME=**None** \
     "TRANSMISSION_WATCH_DIR=/data/watch" \
     "TRANSMISSION_WATCH_DIR_ENABLED=true" \
     "TRANSMISSION_HOME=/data/transmission-home" \
+    "ENABLE_UFW=false" \
     PUID=\
     PGID=
 
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
index f5ad2e746..08deb1ecc 100644
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -11,7 +11,7 @@ VOLUME /config
 # Update packages and install software
 RUN apt-get update \
     && apt-get install -y transmission-cli transmission-common transmission-daemon \
-    && apt-get install -y openvpn curl \
+    && apt-get install -y openvpn curl ufw \
     && curl -sLO https://archive.raspbian.org/raspbian/pool/main/d/dumb-init/dumb-init_1.0.3-1_armhf.deb \
     && dpkg -i dumb-init_*.deb \
     && rm -rf dumb-init_*.deb \
@@ -100,6 +100,7 @@ ENV OPENVPN_USERNAME=**None** \
     "TRANSMISSION_WATCH_DIR=/data/watch" \
     "TRANSMISSION_WATCH_DIR_ENABLED=true" \
     "TRANSMISSION_HOME=/data/transmission-home" \
+    "ENABLE_UFW=false" \
     PUID=\
     PGID=
 
diff --git a/README.md b/README.md
index a81cc0d5f..64d2a6c28 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,15 @@ By default a folder named transmission-home will also be created under /data, th
 |`OPENVPN_OPTS` | Will be passed to OpenVPN on startup | See [OpenVPN doc](https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html) |
 |`LOCAL_NETWORK` | Sets the local network that should have access. | `LOCAL_NETWORK=192.168.0.0/24`|
 
+### Firewall configuration options
+When enabled, the firewall blocks everything except traffic to the peer port and traffic to the rpc port from the LOCAL_NETWORK and the internal docker gateway.
+
+If TRANSMISSION_PEER_PORT_RANDOM_ON_START is enabled then it allows traffic to the range of peer ports defined by TRANSMISSION_PEER_PORT_RANDOM_HIGH and TRANSMISSION_PEER_PORT_RANDOM_LOW.
+
+| Variable | Function | Example |
+|----------|----------|-------|
+|`ENABLE_UFW` | Enables the firewall | `ENABLE_UFW=true`|
+
 ### Transmission configuration options
 
 You may override transmission options by setting the appropriate environment variable.
diff --git a/openvpn/start.sh b/openvpn/start.sh
index ad4eba23e..7f3479a9f 100755
--- a/openvpn/start.sh
+++ b/openvpn/start.sh
@@ -46,11 +46,35 @@ dockerize -template /etc/transmission/environment-variables.tmpl:/etc/transmissi
 
 TRANSMISSION_CONTROL_OPTS="--script-security 2 --up-delay --up /etc/transmission/start.sh --down /etc/transmission/stop.sh"
 
+if [ "true" = "$ENABLE_UFW" ]; then
+  # Enable firewall
+  echo "enabling firewall"
+  sed -i -e s/IPV6=yes/IPV6=no/ /etc/default/ufw
+  ufw enable
+
+  if [ "true" = "$TRANSMISSION_PEER_PORT_RANDOM_ON_START" ]; then
+    PEER_PORT="$TRANSMISSION_PEER_PORT_RANDOM_LOW:$TRANSMISSION_PEER_PORT_RANDOM_HIGH/tcp"
+  else
+    PEER_PORT=$TRANSMISSION_PEER_PORT
+  fi
+
+  echo "allowing $PEER_PORT through the firewall"
+  ufw allow $PEER_PORT
+
+  eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
+  echo "allowing access to $TRANSMISSION_RPC_PORT from $GW"
+  ufw allow proto tcp from $GW to any port $TRANSMISSION_RPC_PORT
+fi
+
 if [ -n "${LOCAL_NETWORK-}" ]; then
   eval $(/sbin/ip r l m 0.0.0.0 | awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}')
   if [ -n "${GW-}" -a -n "${INT-}" ]; then
     echo "adding route to local network $LOCAL_NETWORK via $GW dev $INT"
     /sbin/ip r a "$LOCAL_NETWORK" via "$GW" dev "$INT"
+    if [ "true" = "$ENABLE_UFW" ]; then
+      echo "allowing access to $TRANSMISSION_RPC_PORT from $LOCAL_NETWORK"
+      ufw allow proto tcp from $LOCAL_NETWORK to any port $TRANSMISSION_RPC_PORT
+    fi
   fi
 fi
 
diff --git a/transmission/environment-variables.tmpl b/transmission/environment-variables.tmpl
index fe736cdde..0e78a0133 100644
--- a/transmission/environment-variables.tmpl
+++ b/transmission/environment-variables.tmpl
@@ -75,5 +75,7 @@ export TRANSMISSION_WATCH_DIR_ENABLED={{ .Env.TRANSMISSION_WATCH_DIR_ENABLED }}
 # Transmission needs to know which VPN provider is used
 export OPENVPN_PROVIDER={{ .Env.OPENVPN_PROVIDER }}
 
+export ENABLE_UFW={{ .Env.ENABLE_UFW }}
+
 export PUID={{ .Env.PUID }}
 export PGID={{ .Env.PGID }}