diff --git a/deploy-guide/source/deploymenthost.rst b/deploy-guide/source/deploymenthost.rst
index 9cb472f477..83f4fb08cd 100644
--- a/deploy-guide/source/deploymenthost.rst
+++ b/deploy-guide/source/deploymenthost.rst
@@ -85,6 +85,23 @@ Before you begin, we recommend upgrading your system packages and kernel.
 
 #. Configure NTP to synchronize with a suitable time source.
 
+#. The ``firewalld`` service is enabled on most CentOS systems by default and
+   its default ruleset prevents OpenStack components from communicating
+   properly. Stop the ``firewalld`` service and mask it to prevent it from
+   starting:
+
+   .. code-block:: shell-session
+
+       # systemctl stop firewalld
+       # systemctl mask firewalld
+
+.. note::
+
+    There is `future work planned <https://bugs.launchpad.net/openstack-ansible/+bug/1657518>`_
+    to create proper firewall rules for OpenStack services in OpenStack-Ansible
+    deployments. Until that work is complete, deployers must maintain their
+    own firewall rulesets or disable the firewall entirely.
+
 Configure the network
 ~~~~~~~~~~~~~~~~~~~~~