diff --git a/packstack/plugins/mysql_001.py b/packstack/plugins/mysql_001.py
index c903a176a..f416f6805 100644
--- a/packstack/plugins/mysql_001.py
+++ b/packstack/plugins/mysql_001.py
@@ -103,8 +103,31 @@ def createmanifest(config):
         manifestdata.append(getManifestTemplate(template))
 
     append_for("keystone", suffix)
+    hosts = set()
     for mod in ['nova', 'cinder', 'glance', 'neutron', 'heat']:
         if config['CONFIG_%s_INSTALL' % mod.upper()] == 'y':
             append_for(mod, suffix)
+            # Check wich modules are enabled so we can allow their
+            # hosts on the firewall
+            if mod != 'nova' and mod != 'neutron':
+                hosts.add(config.get('CONFIG_%s_HOST' % mod.upper()).strip())
+            elif mod == 'neutron':
+                hosts.add(config.get('CONFIG_NEUTRON_SERVER_HOST').strip())
+            else:
+                #In that remote case that we have lot's of nova hosts
+                hosts.add(config.get('CONFIG_NOVA_API_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CERT_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_VNCPROXY_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_CONDUCTOR_HOST').strip())
+                hosts.add(config.get('CONFIG_NOVA_SCHED_HOST').strip())
+                if config['CONFIG_NEUTRON_INSTALL'] != 'y':
+                    hosts.add(config.get('CONFIG_NOVA_NETWORK_HOST').strip())
+                for host in config.get('CONFIG_NOVA_COMPUTE_HOSTS').split(','):
+                    hosts.add(host.strip())
+
+    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
+    config['FIREWALL_SERVICE_NAME'] = "mysql"
+    config['FIREWALL_PORTS'] = "'3306'"
+    manifestdata.append(getManifestTemplate("firewall.pp"))
 
     appendManifestFile(manifestfile, "\n".join(manifestdata), 'pre')
diff --git a/packstack/puppet/templates/firewall.pp b/packstack/puppet/templates/firewall.pp
new file mode 100644
index 000000000..d5542223f
--- /dev/null
+++ b/packstack/puppet/templates/firewall.pp
@@ -0,0 +1,15 @@
+# Create firewall rules to allow only the hosts that need to connect
+# to %(FIREWALL_SERVICE_NAME)s
+
+$hosts = [ %(FIREWALL_ALLOWED)s ]
+
+define add_allow_host {
+    firewall { "001 %(FIREWALL_SERVICE_NAME)s incoming ${title}":
+        proto  => 'tcp',
+        dport  => [%(FIREWALL_PORTS)s],
+        action => 'accept',
+        source => $title,
+    }
+}
+
+add_allow_host { $hosts:}
diff --git a/packstack/puppet/templates/mysql_install.pp b/packstack/puppet/templates/mysql_install.pp
index f80d6c1f6..3f95fb26e 100644
--- a/packstack/puppet/templates/mysql_install.pp
+++ b/packstack/puppet/templates/mysql_install.pp
@@ -21,8 +21,3 @@ if ($::fqdn != $::hostname and $::hostname != "localhost") {
     }
 }
 
-firewall { '001 mysql incoming':
-    proto  => 'tcp',
-    dport  => ['3306'],
-    action => 'accept',
-}