diff --git a/packstack/plugins/amqp_002.py b/packstack/plugins/amqp_002.py
index a8e597fb5..e12cecd10 100644
--- a/packstack/plugins/amqp_002.py
+++ b/packstack/plugins/amqp_002.py
@@ -246,8 +246,9 @@ def create_manifest(config, messages):
 
     # All hosts should be able to talk to amqp
     config['FIREWALL_SERVICE_NAME'] = "amqp"
-    config['FIREWALL_PORTS'] = "'5671', '5672'"
+    config['FIREWALL_PORTS'] = "['5671', '5672']"
     config['FIREWALL_CHAIN'] = "INPUT"
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     for host in filtered_hosts(config, exclude=False):
         config['FIREWALL_ALLOWED'] = "'%s'" % host
         config['FIREWALL_SERVICE_ID'] = "amqp_%s" % host
diff --git a/packstack/plugins/ceilometer_800.py b/packstack/plugins/ceilometer_800.py
index 20037b034..d33a9509b 100644
--- a/packstack/plugins/ceilometer_800.py
+++ b/packstack/plugins/ceilometer_800.py
@@ -115,6 +115,7 @@ def create_manifest(config, messages):
     config['FIREWALL_SERVICE_ID'] = 'ceilometer_api'
     config['FIREWALL_PORTS'] = "'8777'"
     config['FIREWALL_CHAIN'] = "INPUT"
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     manifestdata += getManifestTemplate("firewall.pp")
     # Add a template that creates a group for nova because the ceilometer
     # class needs it
@@ -129,6 +130,7 @@ def create_mongodb_manifest(config, messages):
     config['FIREWALL_ALLOWED'] = "'%s'" % config['CONFIG_CONTROLLER_HOST']
     config['FIREWALL_SERVICE_NAME'] = 'mongodb-server'
     config['FIREWALL_PORTS'] = "'27017'"
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     manifestdata += getManifestTemplate("firewall.pp")
     appendManifestFile(manifestfile, manifestdata, 'pre')
 
diff --git a/packstack/plugins/cinder_250.py b/packstack/plugins/cinder_250.py
index 97e0dc689..b171eace1 100644
--- a/packstack/plugins/cinder_250.py
+++ b/packstack/plugins/cinder_250.py
@@ -360,9 +360,9 @@ def create_manifest(config, messages):
         manifestdata += getManifestTemplate('cinder_backup.pp')
 
     config['FIREWALL_SERVICE_NAME'] = "cinder"
-    config['FIREWALL_PORTS'] = "'3260', '8776'"
+    config['FIREWALL_PORTS'] = "['3260', '8776']"
     config['FIREWALL_CHAIN'] = "INPUT"
-
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     if (config['CONFIG_NOVA_INSTALL'] == 'y' and
             config['CONFIG_VMWARE_BACKEND'] == 'n'):
         for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']):
diff --git a/packstack/plugins/glance_200.py b/packstack/plugins/glance_200.py
index 3c4daf746..e57ad8abe 100644
--- a/packstack/plugins/glance_200.py
+++ b/packstack/plugins/glance_200.py
@@ -95,6 +95,7 @@ def create_manifest(config, messages):
     config['FIREWALL_SERVICE_NAME'] = "glance"
     config['FIREWALL_PORTS'] = "'9292'"
     config['FIREWALL_CHAIN'] = "INPUT"
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     if config['CONFIG_NOVA_INSTALL'] == 'y':
         for host in split_hosts(config['CONFIG_COMPUTE_HOSTS']):
             config['FIREWALL_ALLOWED'] = "'%s'" % host
diff --git a/packstack/plugins/keystone_100.py b/packstack/plugins/keystone_100.py
index 726d1b6ed..7440ec9cc 100644
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@@ -115,8 +115,9 @@ def create_manifest(config, messages):
     config['FIREWALL_ALLOWED'] = "'ALL'"
     config['FIREWALL_SERVICE_NAME'] = "keystone"
     config['FIREWALL_SERVICE_ID'] = "keystone"
-    config['FIREWALL_PORTS'] = "'5000', '35357'"
+    config['FIREWALL_PORTS'] = "['5000', '35357']"
     config['FIREWALL_CHAIN'] = "INPUT"
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     manifestdata += getManifestTemplate("firewall.pp")
 
     appendManifestFile(manifestfile, manifestdata)
diff --git a/packstack/plugins/mysql_001.py b/packstack/plugins/mysql_001.py
index c90a38359..d5138bbb6 100644
--- a/packstack/plugins/mysql_001.py
+++ b/packstack/plugins/mysql_001.py
@@ -112,6 +112,7 @@ def create_manifest(config, messages):
     config['FIREWALL_SERVICE_NAME'] = "mysql"
     config['FIREWALL_PORTS'] = "'3306'"
     config['FIREWALL_CHAIN'] = "INPUT"
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     for host in hosts:
         config['FIREWALL_ALLOWED'] = "'%s'" % host
         config['FIREWALL_SERVICE_ID'] = "mysql_%s" % host
diff --git a/packstack/plugins/nagios_910.py b/packstack/plugins/nagios_910.py
index 41ff0b4d8..dd48967ec 100644
--- a/packstack/plugins/nagios_910.py
+++ b/packstack/plugins/nagios_910.py
@@ -189,6 +189,7 @@ def create_nrpe_manifests(config, messages):
         config['FIREWALL_SERVICE_ID'] = "nagios_nrpe"
         config['FIREWALL_PORTS'] = '5666'
         config['FIREWALL_CHAIN'] = "INPUT"
+        config['FIREWALL_PROTOCOL'] = 'tcp'
         manifestdata += getManifestTemplate("firewall.pp")
         appendManifestFile(manifestfile, manifestdata)
 
diff --git a/packstack/plugins/neutron_350.py b/packstack/plugins/neutron_350.py
index ae9444ed6..07d72dae1 100644
--- a/packstack/plugins/neutron_350.py
+++ b/packstack/plugins/neutron_350.py
@@ -701,7 +701,7 @@ def create_manifests(config, messages):
     config['FIREWALL_SERVICE_NAME'] = "neutron server"
     config['FIREWALL_PORTS'] = "'9696'"
     config['FIREWALL_CHAIN'] = "INPUT"
-
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     for host in q_hosts:
         manifest_file = "%s_neutron.pp" % (host,)
         manifest_data = getManifestTemplate("neutron.pp")
@@ -727,14 +727,14 @@ def create_manifests(config, messages):
         manifest_data = getManifestTemplate(plugin_manifest)
 
         # We also need to open VXLAN/GRE port for agent
-        firewall_template = "firewall.pp"
         if use_openvswitch_vxlan(config) or use_openvswitch_gre(config):
             if use_openvswitch_vxlan(config):
-                tunnel_port = "'4789'"
+                config['FIREWALL_PROTOCOL'] = 'udp'
+                tunnel_port = ("'%s'"
+                               % config['CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT'])
             else:
-                config['FIREWALL_PROTOCOL'] = "'gre'"
-                firewall_template = "firewall_proto.pp"
-                tunnel_port = ""
+                config['FIREWALL_PROTOCOL'] = 'gre'
+                tunnel_port = 'undef'
             for f_host in q_hosts:
                 config['FIREWALL_ALLOWED'] = "'%s'" % f_host
                 config['FIREWALL_SERVICE_NAME'] = "neutron tunnel port"
@@ -742,7 +742,7 @@ def create_manifests(config, messages):
                                                  % (host, f_host))
                 config['FIREWALL_PORTS'] = tunnel_port
                 config['FIREWALL_CHAIN'] = "INPUT"
-                manifest_data += getManifestTemplate(firewall_template)
+                manifest_data += getManifestTemplate('firewall.pp')
 
         appendManifestFile(manifest_file, manifest_data, 'neutron')
 
@@ -786,6 +786,7 @@ def create_dhcp_manifests(config, messages):
         manifest_file = "%s_neutron.pp" % (host,)
 
         # Firewall Rules
+        config['FIREWALL_PROTOCOL'] = 'tcp'
         for f_host in q_hosts:
             config['FIREWALL_ALLOWED'] = "'%s'" % f_host
             config['FIREWALL_SERVICE_NAME'] = "neutron dhcp in"
diff --git a/packstack/plugins/nova_300.py b/packstack/plugins/nova_300.py
index 8f2f974e5..dd4a569d6 100644
--- a/packstack/plugins/nova_300.py
+++ b/packstack/plugins/nova_300.py
@@ -496,6 +496,7 @@ def create_compute_manifest(config, messages):
         config['FIREWALL_SERVICE_ID'] = "nova_compute"
         config['FIREWALL_PORTS'] = "'5900-5999'"
         config['FIREWALL_CHAIN'] = "INPUT"
+        config['FIREWALL_PROTOCOL'] = 'tcp'
         manifestdata += getManifestTemplate("firewall.pp")
 
         manifestdata += "\n" + nova_config_options.getManifestEntry()
diff --git a/packstack/plugins/swift_600.py b/packstack/plugins/swift_600.py
index 0ba6b7298..8e193ef62 100644
--- a/packstack/plugins/swift_600.py
+++ b/packstack/plugins/swift_600.py
@@ -295,9 +295,9 @@ def create_storage_manifest(config, messages):
         hosts |= split_hosts(config['CONFIG_COMPUTE_HOSTS'])
 
     config['FIREWALL_SERVICE_NAME'] = "swift storage and rsync"
-    config['FIREWALL_PORTS'] = "'6000', '6001', '6002', '873'"
+    config['FIREWALL_PORTS'] = "['6000', '6001', '6002', '873']"
     config['FIREWALL_CHAIN'] = "INPUT"
-
+    config['FIREWALL_PROTOCOL'] = 'tcp'
     for host in hosts:
         config['FIREWALL_ALLOWED'] = "'%s'" % host
         config['FIREWALL_SERVICE_ID'] = "swift_storage_and_rsync_%s" % host
diff --git a/packstack/puppet/modules/packstack/manifests/firewall.pp b/packstack/puppet/modules/packstack/manifests/firewall.pp
index a05137122..2370070fd 100644
--- a/packstack/puppet/modules/packstack/manifests/firewall.pp
+++ b/packstack/puppet/modules/packstack/manifests/firewall.pp
@@ -2,7 +2,7 @@
 # hosts that need to connect via FIREWALL_PORTS
 # using FIREWALL_CHAIN
 
-define packstack::firewall($host, $service_name, $chain = "INPUT", $ports = undef, $proto = ['tcp', 'udp']) {
+define packstack::firewall($host, $service_name, $chain = "INPUT", $ports = undef, $proto = 'tcp') {
   $source = $host ? {
     'ALL' => '0.0.0.0/0',
     default => $host,
diff --git a/packstack/puppet/templates/firewall.pp b/packstack/puppet/templates/firewall.pp
index 2b2c13419..a52d793f6 100644
--- a/packstack/puppet/templates/firewall.pp
+++ b/packstack/puppet/templates/firewall.pp
@@ -6,6 +6,6 @@ packstack::firewall {'%(FIREWALL_SERVICE_ID)s':
   host => %(FIREWALL_ALLOWED)s,
   service_name => '%(FIREWALL_SERVICE_NAME)s',
   chain => '%(FIREWALL_CHAIN)s',
-  ports => [%(FIREWALL_PORTS)s],
+  ports => %(FIREWALL_PORTS)s,
+  proto => '%(FIREWALL_PROTOCOL)s',
 }
-
diff --git a/packstack/puppet/templates/firewall_proto.pp b/packstack/puppet/templates/firewall_proto.pp
deleted file mode 100644
index 43ef7e2df..000000000
--- a/packstack/puppet/templates/firewall_proto.pp
+++ /dev/null
@@ -1,11 +0,0 @@
-# Create firewall rules to allow only the FIREWALL_ALLOWED
-# hosts that need to connect via FIREWALL_PORTS
-# using FIREWALL_CHAIN
-
-packstack::firewall {'%(FIREWALL_SERVICE_ID)s':
-  host => %(FIREWALL_ALLOWED)s,
-  service_name => '%(FIREWALL_SERVICE_NAME)s',
-  chain => '%(FIREWALL_CHAIN)s',
-  proto => [%(FIREWALL_PROTOCOL)s],
-}
-