diff --git a/bkctld b/bkctld
index 9e54e6b..98200ce 100755
--- a/bkctld
+++ b/bkctld
@@ -33,7 +33,7 @@ case "${subcommand}" in
     "key" | "port" | "ip")
         "${LIBDIR}/bkctld-${subcommand}" "${jail}" "${option}"
     ;;
-    "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove")
+    "start" | "stop" | "reload" | "restart" | "sync" | "update" | "remove" | "firewall")
     if [ "${jail}" = "all" ]; then
         ls "${JAILDIR}"|xargs --no-run-if-empty --max-args=1 --max-procs=0 "${LIBDIR}/bkctld-${subcommand}"
     else
diff --git a/lib/bkctld-firewall b/lib/bkctld-firewall
new file mode 100755
index 0000000..264398f
--- /dev/null
+++ b/lib/bkctld-firewall
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+LIBDIR="$(dirname $0)" && . "${LIBDIR}/config"
+
+jail="${1:-}"
+[ -n "${jail}" ] || usage
+
+if [ -n "${FIREWALL_RULES}" ]; then
+    [ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail}$/d" "${FIREWALL_RULES}"
+    if ( check_jail "${jail}" ); then
+        port=$("${LIBDIR}/bkctld-port" "${jail}")
+        for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do
+            echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}"
+        done
+        [ -f /etc/init.d/minifirewall ] && /etc/init.d/minifirewall restart >/dev/null
+    fi
+    notice "${jail} : firewall rules updated"
+fi
diff --git a/lib/bkctld-ip b/lib/bkctld-ip
index 3b8f10e..25b326c 100755
--- a/lib/bkctld-ip
+++ b/lib/bkctld-ip
@@ -23,8 +23,7 @@ else
         allow="${allow} root@${ip}"
     done
     sed -i "s~^AllowUsers .*~${allow}~" "${JAILDIR}/$jail/${SSHD_CONFIG}"
-    set_firewall "${jail}"
     notice "${jail} : update ip => ${ip}"
-
     check_jail_on "${jail}" && "${LIBDIR}/bkctld-reload" "${jail}"
+    "${LIBDIR}/bkctld-firewall" "${jail}"
 fi
diff --git a/lib/bkctld-port b/lib/bkctld-port
index ee73356..6c8b0fb 100755
--- a/lib/bkctld-port
+++ b/lib/bkctld-port
@@ -16,8 +16,7 @@ else
         [ "${port}" -le 1 ] && port=2222
     fi
     sed -i "s/^Port .*/Port ${port}/" "${JAILDIR}/$jail/${SSHD_CONFIG}"
-    set_firewall "${jail}"
     notice "${jail} : update port => ${port}"
-
     check_jail_on "${jail}" && . "${LIBDIR}/bkctld-reload" "${jail}"
+    "${LIBDIR}/bkctld-firewall" "${jail}"
 fi
diff --git a/lib/bkctld-remove b/lib/bkctld-remove
index 13f668e..c423a43 100755
--- a/lib/bkctld-remove
+++ b/lib/bkctld-remove
@@ -26,5 +26,5 @@ if [ -d  "${INCDIR}/${jail}" ]; then
     done
     rmdir --ignore-fail-on-non-empty "${INCDIR}/${jail}" | debug
 fi
-set_firewall "${jail}"
+"${LIBDIR}/bkctld-firewall" "${jail}"
 notice "${jail} : deleted jail"
diff --git a/lib/functions b/lib/functions
index 74d5b4f..9a66bc4 100755
--- a/lib/functions
+++ b/lib/functions
@@ -12,6 +12,7 @@ Subcommands:
     reload      <jailname>|all                  Reload jail <jailname> or all
     restart     <jailname>|all                  Restart jail <jailname> or all
     sync        <jailname>|all                  Sync jail <jailname> or all to another node
+    firewall    <jailname>|all                  Update firewall rules of <jailname> or all
     status      [<jailname>]                    Print status of <jailname> (default all jail)
     key         <jailname>      [<keyfile>]     Set or get ssh pubic key of <jailname>
     port        <jailname>      [<port>|auto]   Set or get ssh port of <jailname>
@@ -56,21 +57,3 @@ get_inc() {
         fi
     echo "${inc}"
 }
-
-set_firewall() {
-    jail="${1}"
-    if [ -n "${FIREWALL_RULES}" ]; then
-        if [ -f "${FIREWALL_RULES}" ]; then
-            sed -i "/#${jail}$/d" "${FIREWALL_RULES}"
-        fi
-        if ( check_jail "${jail}" ); then
-            port=$("${LIBDIR}/bkctld-port" "${jail}")
-            for ip in $("${LIBDIR}/bkctld-ip" "${jail}"); do
-                echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail}" >> "${FIREWALL_RULES}"
-            done
-            if [ -f /etc/init.d/minifirewall ]; then
-                /etc/init.d/minifirewall restart >/dev/null
-            fi
-        fi
-    fi
-}