diff --git a/packstack/plugins/nagios_910.py b/packstack/plugins/nagios_910.py
index 1f90a0b64..c3249552e 100644
--- a/packstack/plugins/nagios_910.py
+++ b/packstack/plugins/nagios_910.py
@@ -172,6 +172,11 @@ def createnrpemanifests(config):
         controller.CONF['CONFIG_NRPE_HOST'] = hostname
         manifestfile = "%s_nagios_nrpe.pp" % hostname
         manifestdata = getManifestTemplate("nagios_nrpe.pp")
+        #Only the Nagios host is allowed to talk to nrpe
+        config['FIREWALL_ALLOWED'] = "'%s'" % config['CONFIG_NAGIOS_HOST']
+        config['FIREWALL_SERVICE_NAME'] = "nagios-nrpe"
+        config['FIREWALL_PORTS'] = '5666'
+        manifestdata += getManifestTemplate("firewall.pp")
         appendManifestFile(manifestfile, manifestdata)
 
     controller.MESSAGES.append("To use Nagios, browse to http://%s/nagios "
diff --git a/packstack/puppet/templates/nagios_nrpe.pp b/packstack/puppet/templates/nagios_nrpe.pp
index 453cecd14..c6525acde 100644
--- a/packstack/puppet/templates/nagios_nrpe.pp
+++ b/packstack/puppet/templates/nagios_nrpe.pp
@@ -34,8 +34,4 @@ service{'nrpe':
     hasstatus => true,
 }
 
-firewall { '001 nrpe incoming':
-    proto    => 'tcp',
-    dport    => ['5666'],
-    action   => 'accept',
-}
+