diff --git a/CHANGELOG.md b/CHANGELOG.md
index 08b8b5b4..f2ce2a6e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release.
 * evoacme: variable to disable Debian version check (default: False)
 * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
 * minifirewall: upstream release 20.12
+* minifirewall: add variables to force upgrade the script and the config (default: False)
 * mysql: install save_mysql_processlist script
 * nextcloud: New role to setup a nextcloud instance
 * redis: variable to force use of port 6379 in instances mode
diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index e12da941..fd4e726b 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -5,6 +5,9 @@ minifirewall_tail_file: /etc/default/minifirewall.tail
 minifirewall_tail_included: False
 minifirewall_tail_force: True
 
+minifirewall_force_upgrade_script: False
+minifirewall_force_upgrade_config: False
+
 minifirewall_git_url: "https://forge.evolix.org/minifirewall.git"
 minifirewall_checkout_path: "/tmp/minifirewall"
 minifirewall_int: "{{ ansible_default_ipv4.interface }}"
diff --git a/minifirewall/tasks/install.yml b/minifirewall/tasks/install.yml
index a4bcf734..5d6438ed 100644
--- a/minifirewall/tasks/install.yml
+++ b/minifirewall/tasks/install.yml
@@ -9,7 +9,7 @@
   template:
     src: minifirewall.j2
     dest: /etc/init.d/minifirewall
-    force: no
+    force: "{{ minifirewall_force_upgrade_script | default('no') }}"
     mode: "0700"
     owner: root
     group: root
@@ -18,7 +18,7 @@
   copy:
     src: minifirewall.conf
     dest: "{{ minifirewall_main_file }}"
-    force: no
+    force: "{{ minifirewall_force_upgrade_config | default('no') }}"
     mode: "0600"
     owner: root
     group: root