diff --git a/openwrt/openwrt-default-firewall.sh b/openwrt/openwrt-default-firewall.sh
new file mode 100644
index 0000000..fe6badf
--- /dev/null
+++ b/openwrt/openwrt-default-firewall.sh
@@ -0,0 +1,49 @@
+#!/bin/sh
+# 2022-01-21, Nico Schottelius
+
+# Firewall configuration
+if ! uci show firewall | grep "name='Allow-SSH'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-SSH'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='22'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-HTTPS'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-HTTPS'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='443'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-HTTP'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-HTTP'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='80'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-Remote-SSH-Access'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-Remote-SSH-Access'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='22'
+uci set firewall.@rule[-1].enabled='0'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+
+# Add interfaces to the right network zone
+uci set firewall.@zone[1].network='wan wan6 wg0'
+
+uci commit