diff --git a/nodes/redis-1.json b/nodes/redis-1.json
index 006c81a..a5507e7 100644
--- a/nodes/redis-1.json
+++ b/nodes/redis-1.json
@@ -43,6 +43,7 @@
       "redisio::disable_os_default",
       "redisio::configure",
       "redisio::enable",
+      "kosmos_redis::firewall",
       "backup::default",
       "logrotate::default"
     ],
diff --git a/roles/redis_server.rb b/roles/redis_server.rb
index fa44105..f7fb88e 100644
--- a/roles/redis_server.rb
+++ b/roles/redis_server.rb
@@ -1,7 +1,18 @@
 name "redis_server"
 
-run_list %w(
+default_run_list = %w(
   kosmos_redis::default
 )
 
+production_run_list = %w(
+  kosmos_redis::default
+  kosmos_redis::firewall
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => production_run_list
+)
+
 default_attributes({})
diff --git a/site-cookbooks/kosmos_redis/metadata.rb b/site-cookbooks/kosmos_redis/metadata.rb
index 7cc76d1..e58b021 100644
--- a/site-cookbooks/kosmos_redis/metadata.rb
+++ b/site-cookbooks/kosmos_redis/metadata.rb
@@ -8,3 +8,4 @@ version          '0.2.0'
 
 depends 'redisio'
 depends 'backup'
+depends 'kosmos-base'
diff --git a/site-cookbooks/kosmos_redis/recipes/default.rb b/site-cookbooks/kosmos_redis/recipes/default.rb
index 7755508..7153aca 100644
--- a/site-cookbooks/kosmos_redis/recipes/default.rb
+++ b/site-cookbooks/kosmos_redis/recipes/default.rb
@@ -7,6 +7,8 @@ include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
 
 unless node.chef_environment == "development"
+  include_recipe "kosmos_redis::firewall"
+
   # Backup the databases to S3
   databases = node['redisio']['servers'].map do |server, _|
     "dump-#{server['port']}"
diff --git a/site-cookbooks/kosmos_redis/recipes/firewall.rb b/site-cookbooks/kosmos_redis/recipes/firewall.rb
new file mode 100644
index 0000000..4911854
--- /dev/null
+++ b/site-cookbooks/kosmos_redis/recipes/firewall.rb
@@ -0,0 +1,17 @@
+#
+# Cookbook Name:: kosmos_redis
+# Recipe:: firewall
+#
+
+include_recipe "kosmos-base::firewall"
+
+ports = node['redisio']['servers'].map do |server, _|
+  server['port']
+end
+
+firewall_rule "redis" do
+  port     ports
+  source   "10.1.1.0/24" # zerotier
+  protocol :tcp
+  command  :allow
+end