diff --git a/README.md b/README.md
index 036c6c9..25bfe78 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,7 @@ Global variables apply across your Ansible project and are loaded from `vars.yml
 | `custom_iso` (optional) | Skip ArchISO checks and pacman setup on installer media.   | `true`, `false (default)`                 |
 | `cis` (optional)        | Adjusts the installation to be CIS level 3 conformant.     | `true`, `false (default)`                 |
 | `selinux` (optional)    | Toggle SELinux where supported.                            | `true (default)`, `false`                 |
+| `firewalld_enabled` (optional) | Toggle firewalld package/service enablement.        | `true (default)`, `false`                 |
 
 ### 2.2 Hypervisor Access (virtual installs)
 
diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml
index 0a2d114..e6eacad 100644
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -4,6 +4,7 @@ bootstrap_almalinux:
   - dbus-daemon
   - dhcp-client
   - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - glibc-langpack-de
   - glibc-langpack-en
   - grub2
@@ -33,7 +34,7 @@ bootstrap_archlinux:
   - dhcpcd
   - efibootmgr
   - fastfetch
-  - firewalld
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - fish
   - fzf
   - grub
@@ -90,7 +91,7 @@ bootstrap_debian11:
     - bat
     - curl
     - entr
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
     - fish
     - fzf
     - htop
@@ -139,7 +140,7 @@ bootstrap_debian12:
     - curl
     - duf
     - entr
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
     - fish
     - fzf
     - htop
@@ -195,7 +196,7 @@ bootstrap_debian13:
     - duf
     - entr
     - fastfetch
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
     - fish
     - fzf
     - htop
@@ -233,6 +234,7 @@ bootstrap_fedora:
   - duf
   - efibootmgr
   - entr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - fish
   - fzf
   - glibc-langpack-de
@@ -266,6 +268,7 @@ bootstrap_rhel8:
   - bind-utils
   - dhcp-client
   - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - glibc-langpack-de
   - glibc-langpack-en
   - grub2
@@ -291,6 +294,7 @@ bootstrap_rhel9:
   - bind-utils
   - dhcp-client
   - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - glibc-langpack-de
   - glibc-langpack-en
   - grub2
@@ -316,6 +320,7 @@ bootstrap_rhel9:
 bootstrap_rhel10:
   - bind-utils
   - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - glibc-langpack-de
   - glibc-langpack-en
   - grub2
@@ -343,6 +348,7 @@ bootstrap_rocky:
   - dbus-daemon
   - dhcp-client
   - efibootmgr
+  - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
   - glibc-langpack-de
   - glibc-langpack-en
   - grub2
@@ -394,7 +400,7 @@ bootstrap_ubuntu:
     - eza
     - fdupes
     - fio
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
     - fish
     - htop
     - jq
@@ -457,7 +463,7 @@ bootstrap_ubuntu_lts:
     - eza
     - fdupes
     - fio
-    - firewalld
+    - "{{ 'firewalld' if firewalld_enabled | bool else '' }}"
     - fish
     - htop
     - jq
diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml
index 0315bcf..a018814 100644
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -2,6 +2,7 @@
 - name: Enable Systemd Services
   ansible.builtin.command: >
     arch-chroot /mnt systemctl enable NetworkManager
+    {{ ' firewalld' if firewalld_enabled | bool else '' }}
     {{
       ' ssh' if os | lower in ['ubuntu', 'ubuntu-lts'] else
       (' sshd' if os | lower not in ['debian11', 'debian12', 'debian13'] else '')
@@ -12,3 +13,10 @@
     }}
   register: configuration_enable_services_result
   changed_when: configuration_enable_services_result.rc == 0
+
+- name: Disable firewalld when disabled
+  when: not firewalld_enabled | bool
+  ansible.builtin.command: arch-chroot /mnt systemctl disable --now firewalld
+  register: configuration_disable_firewalld_result
+  changed_when: configuration_disable_firewalld_result.rc == 0
+  failed_when: false
diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index 0442f29..492335c 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -4,6 +4,7 @@ custom_iso: false
 cis: false
 selinux: true
 vmware_ssh: false
+firewalld_enabled: true
 
 cis_enabled: "{{ cis | bool }}"
 custom_iso_enabled: "{{ custom_iso | bool }}"
diff --git a/vars_baremetal_example.yml b/vars_baremetal_example.yml
index ee3610c..57d7ec2 100644
--- a/vars_baremetal_example.yml
+++ b/vars_baremetal_example.yml
@@ -8,6 +8,7 @@ filesystem: "btrfs"
 
 cis: false
 selinux: true
+firewalld_enabled: true
 
 luks_enabled: true
 luks_passphrase: "1234"
diff --git a/vars_example.yml b/vars_example.yml
index 3aa7075..7f39e5b 100644
--- a/vars_example.yml
+++ b/vars_example.yml
@@ -7,6 +7,7 @@ install_drive: "/dev/sda"  # Use /dev/vda for virtio/libvirt.
 custom_iso: false  # Set true to skip ArchISO-specific validation and pacman setup.
 cis: false  # Set true to enable CIS hardening.
 selinux: true  # Toggle SELinux where supported.
+firewalld_enabled: true  # Toggle firewalld package and service.
 
 hypervisor_url: "pve01.example.com"
 hypervisor_username: "root@pam"