diff --git a/src/freedombone-app-keyserver b/src/freedombone-app-keyserver
index 3d15bb62920e2d07d627770f11313ffb08311697..6b5c39b566165928dad7f080d8aabdf74c287009 100755
--- a/src/freedombone-app-keyserver
+++ b/src/freedombone-app-keyserver
@@ -46,6 +46,16 @@ keyserver_variables=(ONION_ONLY
                      KEYSERVER_DOMAIN_NAME
                      KEYSERVER_CODE)
 
+function configure_firewall_for_keyserver {
+    if [[ $ONION_ONLY != "no" ]]; then
+        return
+    fi
+    firewall_add keyserver 11370 tcp
+    firewall_add keyserver 11371 tcp
+    firewall_add keyserver 11372 tcp
+    mark_completed $FUNCNAME
+}
+
 function logging_on_keyserver {
     echo -n ''
 }
@@ -133,6 +143,10 @@ function remove_keyserver {
     remove_onion_service keyserver ${KEYSERVER_ONION_PORT}
     remove_completion_param "install_keyserver"
 
+    firewall_remove 11370 tcp
+    firewall_remove 11371 tcp
+    firewall_remove 11372 tcp
+
     sed -i '/keyserver/d' $COMPLETION_FILE
     if [ -d /var/lib/sks ]; then
         rm -rf /var/lib/sks
@@ -373,6 +387,8 @@ function install_keyserver {
     function_check nginx_ensite
     nginx_ensite $KEYSERVER_DOMAIN_NAME
 
+    configure_firewall_for_keyserver
+
     systemctl restart nginx
 
     set_completion_param "keyserver domain" "$KEYSERVER_DOMAIN_NAME"