diff --git a/CHANGELOG.md b/CHANGELOG.md
index 54807d8d..60d262e8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,38 +11,39 @@ The **patch** part changes incrementally at each release.
 ## [Unreleased]
 
 ### Added
-* postfix: add lines in /etc/.gitignore
-* nagios-nrpe: add "check_open_files" plugin
-* nagios-nrpe: mark plugins as executable
-* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
-* mysql: remount /usr before creating scripts directory
-* packweb-apache: choose mysql variant (default: `debian`)
-* haproxy: install Munin plugins
-* proftpd: use proftpd_accounts list for manage ftp accounts
+* added a few become attributes where missing
 * etc-git: add tags for Ansible
 * evolinux-base: install ncurses-term package
-* added a few become attributes where missing
-* redmine: added missing tags
+* haproxy: install Munin plugins
+* minifirewall: add "check_minifirewall" Nagios plugin (and `minifirewall_status` script)
+* mysql-oracle: new role to install MySQL 5.7 with Oracle packages
+* mysql: remount /usr before creating scripts directory
+* nagios-nrpe: add "check_open_files" plugin
+* nagios-nrpe: mark plugins as executable
 * nodejs: Yarn package manager can be installed (default: `false`)
+* packweb-apache: choose mysql variant (default: `debian`)
+* postfix: add lines in /etc/.gitignore
+* proftpd: use "proftpd_accounts" list to manage ftp accounts
+* redmine: added missing tags
 
 ### Changed
-* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
 * elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
-* nagios-nrpe: mark plugins as executable
-* mongodb: configuration is forced by default but it's configurable (default: `false`)
-* mongodb: allow unauthenticated packages for Jessie
-* mongodb: rename logrotate script
-* nginx: package name can be specified (default: `nginx-full`)
+* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
 * evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
-* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
+* mongodb: allow unauthenticated packages for Jessie
+* mongodb: configuration is forced by default but it's configurable (default: `false`)
+* mongodb: rename logrotate script
+* nagios-nrpe: mark plugins as executable
+* nginx: don't debug variables in verbosity 0
+* nginx: package name can be specified (default: `nginx-full`)
 * php: fix FPM custom file permissions
 * php: more tasks notify FPM handler to restart if needed
-* nginx: don't debug variables in verbosity 0
+* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
 
 ### Fixed
-* nginx: fix basic auth for default vhost
 * dovecot: fix support of plus sign
 * mysql/mysql-oracle: mysqltuner cron task is executable
+* nginx: fix basic auth for default vhost
 * rbenv: fix become user issue with copy tasks
 
 ## [9.1.6] - 2018-02-02
diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index 4f82138d..a6eaa2fc 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -25,3 +25,5 @@ minifirewall_private_ports_udp: []
 minifirewall_autostart: "no"
 
 evomaintenance_hosts: []
+
+nagios_plugins_directory: "/usr/local/lib/nagios/plugins"
diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall
new file mode 100644
index 00000000..632f3e8a
--- /dev/null
+++ b/minifirewall/files/check_minifirewall
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+is_alert5_enabled() {
+  # It's not very clear how to reliably detect if a SysVinit script
+  # wrapped in a systemd unit is enabled or not.
+  # Even when the script is not started in any run level, systemd says "active".
+  # So we test the SysVinit script path:
+  # if present, we test for an rc2.d symlink
+  # if missing, we ask systemd if a unit is active or not.
+  if test -f /etc/init.d/alert5; then
+    test -f /etc/rc2.d/S*alert5
+  else
+    systemctl is-active alert5 | grep -q "^active$"
+  fi
+}
+
+is_minifirewall_enabled() {
+  # TODO: instead of nested conditionals, we could loop with many possible paths
+  # and grep the first found, or error if none is found
+  if test -f /etc/rc2.d/S*alert5; then
+    grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
+  else
+    if test -f /usr/share/scripts/alert5.sh; then
+      grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
+    else
+      return_critical "No Alert5 scripts has been found."
+    fi
+  fi
+}
+
+is_minifirewall_started() {
+  if test -x /usr/share/scripts/minifirewall_status; then
+    /usr/share/scripts/minifirewall_status > /dev/null
+  else
+    /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+  fi
+}
+
+return_critical() {
+  echo "CRITICAL: $1"
+  exit 2
+}
+
+return_warning() {
+  echo "WARNING: $1"
+  exit 1
+}
+
+return_ok() {
+  echo "OK: $1"
+  exit 0
+}
+
+main() {
+  if is_alert5_enabled; then
+    if  is_minifirewall_enabled; then
+      if is_minifirewall_started; then
+        return_ok "Minifirewall is started."
+      else
+        return_critical "Minifirewall is not started."
+      fi
+    else
+      if is_minifirewall_started; then
+        return_warning "Minifirewall is started, but disabled in alert5."
+      else
+        return_ok "Minifirewall is not started, but disabled in alert5."
+      fi
+    fi
+  else
+    if is_minifirewall_started; then
+      return_warning "Minifirewall is started, but Alert5 script is not enabled."
+    else
+      return_ok "Minifirewall is not started and Alert5 script is not enabled."
+    fi
+  fi
+}
+
+main
diff --git a/minifirewall/files/minifirewall_status b/minifirewall/files/minifirewall_status
new file mode 100644
index 00000000..7bf09285
--- /dev/null
+++ b/minifirewall/files/minifirewall_status
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+is_started() {
+  /sbin/iptables -L -n \
+    | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+}
+return_started() {
+  echo "started"
+  exit 0
+}
+return_stopped() {
+  echo "stopped"
+  exit 1
+}
+
+is_started && return_started || return_stopped
diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml
new file mode 100644
index 00000000..5ba1926c
--- /dev/null
+++ b/minifirewall/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart nagios-nrpe-server
+  service:
+    name: nagios-nrpe-server
+    state: restarted
diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml
index 851d1917..1e135780 100644
--- a/minifirewall/tasks/main.yml
+++ b/minifirewall/tasks/main.yml
@@ -4,6 +4,8 @@
 
 - include: config.yml
 
+- include: nrpe.yml
+
 - include: activate.yml
 
 - include: tail.yml
diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml
new file mode 100644
index 00000000..2e8569f8
--- /dev/null
+++ b/minifirewall/tasks/nrpe.yml
@@ -0,0 +1,53 @@
+---
+
+- include_role:
+    name: remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+
+- name: minifirewall_status is installed
+  copy:
+    src: minifirewall_status
+    dest: /usr/share/scripts/minifirewall_status
+    force: no
+    mode: "0700"
+    owner: root
+    group: root
+
+- name: /usr/local/lib/nagios/plugins/ exists
+  file:
+    dest: "{{ nagios_plugins_directory }}"
+    mode: "02755"
+    owner: root
+    group: staff
+    state: directory
+
+- name: check_minifirewall is installed
+  copy:
+    src: check_minifirewall
+    dest: "{{ nagios_plugins_directory }}/check_minifirewall"
+    force: no
+    mode: "0755"
+    owner: root
+    group: staff
+
+- name: check_minifirewall is available for NRPE
+  lineinfile:
+    dest: /etc/nagios/nrpe.d/evolix.cfg
+    regexp: 'command\[check_minifirewall\]'
+    line: 'command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall'
+  notify: restart nagios-nrpe-server
+
+- name: sudo without password for nagios
+  lineinfile:
+    dest: /etc/sudoers.d/evolinux
+    regexp: 'check_minifirewall'
+    line: 'nagios          ALL = NOPASSWD: {{ nagios_plugins_directory }}/check_minifirewall'
+    insertafter: '^nagios'
+    validate: "visudo -cf %s"
diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2
index 3d07600e..0be4e38e 100644
--- a/nagios-nrpe/templates/evolix.cfg.j2
+++ b/nagios-nrpe/templates/evolix.cfg.j2
@@ -66,6 +66,7 @@ command[check_glusterfs]={{ nagios_plugins_directory }}/check_glusterfs -v all -
 command[check_supervisord_status]={{ nagios_plugins_directory }}/check_supervisord
 command[check_varnish]={{ nagios_plugins_directory }}/check_varnish_health -i 127.0.0.1 -p 6082 -s /etc/varnish/secret -w 2 -c 4
 command[check_haproxy]={{ nagios_plugins_directory }}/check_haproxy_stats -s /var/run/haproxy.sock -w 80 -c 90
+command[check_minifirewall]=sudo {{ nagios_plugins_directory }}/check_minifirewall
 
 # Check HTTP "many". Use this to check many websites (http, https, ports, sockets and SSL certificates).
 # Beware! All checks must not take more than 10s!