diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall
new file mode 100644
index 00000000..632f3e8a
--- /dev/null
+++ b/minifirewall/files/check_minifirewall
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+is_alert5_enabled() {
+  # It's not very clear how to reliably detect if a SysVinit script
+  # wrapped in a systemd unit is enabled or not.
+  # Even when the script is not started in any run level, systemd says "active".
+  # So we test the SysVinit script path:
+  # if present, we test for an rc2.d symlink
+  # if missing, we ask systemd if a unit is active or not.
+  if test -f /etc/init.d/alert5; then
+    test -f /etc/rc2.d/S*alert5
+  else
+    systemctl is-active alert5 | grep -q "^active$"
+  fi
+}
+
+is_minifirewall_enabled() {
+  # TODO: instead of nested conditionals, we could loop with many possible paths
+  # and grep the first found, or error if none is found
+  if test -f /etc/rc2.d/S*alert5; then
+    grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5
+  else
+    if test -f /usr/share/scripts/alert5.sh; then
+      grep -q "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh
+    else
+      return_critical "No Alert5 scripts has been found."
+    fi
+  fi
+}
+
+is_minifirewall_started() {
+  if test -x /usr/share/scripts/minifirewall_status; then
+    /usr/share/scripts/minifirewall_status > /dev/null
+  else
+    /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+  fi
+}
+
+return_critical() {
+  echo "CRITICAL: $1"
+  exit 2
+}
+
+return_warning() {
+  echo "WARNING: $1"
+  exit 1
+}
+
+return_ok() {
+  echo "OK: $1"
+  exit 0
+}
+
+main() {
+  if is_alert5_enabled; then
+    if  is_minifirewall_enabled; then
+      if is_minifirewall_started; then
+        return_ok "Minifirewall is started."
+      else
+        return_critical "Minifirewall is not started."
+      fi
+    else
+      if is_minifirewall_started; then
+        return_warning "Minifirewall is started, but disabled in alert5."
+      else
+        return_ok "Minifirewall is not started, but disabled in alert5."
+      fi
+    fi
+  else
+    if is_minifirewall_started; then
+      return_warning "Minifirewall is started, but Alert5 script is not enabled."
+    else
+      return_ok "Minifirewall is not started and Alert5 script is not enabled."
+    fi
+  fi
+}
+
+main
diff --git a/minifirewall/files/minifirewall_status b/minifirewall/files/minifirewall_status
new file mode 100644
index 00000000..7bf09285
--- /dev/null
+++ b/minifirewall/files/minifirewall_status
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+is_started() {
+  /sbin/iptables -L -n \
+    | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
+}
+return_started() {
+  echo "started"
+  exit 0
+}
+return_stopped() {
+  echo "stopped"
+  exit 1
+}
+
+is_started && return_started || return_stopped
diff --git a/minifirewall/handlers/main.yml b/minifirewall/handlers/main.yml
new file mode 100644
index 00000000..5ba1926c
--- /dev/null
+++ b/minifirewall/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart nagios-nrpe-server
+  service:
+    name: nagios-nrpe-server
+    state: restarted
diff --git a/minifirewall/tasks/main.yml b/minifirewall/tasks/main.yml
index 851d1917..1e135780 100644
--- a/minifirewall/tasks/main.yml
+++ b/minifirewall/tasks/main.yml
@@ -4,6 +4,8 @@
 
 - include: config.yml
 
+- include: nrpe.yml
+
 - include: activate.yml
 
 - include: tail.yml
diff --git a/minifirewall/tasks/nrpe.yml b/minifirewall/tasks/nrpe.yml
new file mode 100644
index 00000000..bb92553e
--- /dev/null
+++ b/minifirewall/tasks/nrpe.yml
@@ -0,0 +1,56 @@
+---
+
+- include_role:
+    name: remount-usr
+
+- name: /usr/share/scripts exists
+  file:
+    dest: /usr/share/scripts
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+
+- name: minifirewall_status is installed
+  copy:
+    src: minifirewall_status
+    dest: /usr/share/scripts/minifirewall_status
+    force: no
+    mode: "0700"
+    owner: root
+    group: root
+
+- name: /usr/local/lib/nagios/plugins/ exists
+  file:
+    dest: "{{ item }}"
+    mode: "02755"
+    owner: root
+    group: staff
+    state: directory
+  with_items:
+    - /usr/local/lib/nagios
+    - /usr/local/lib/nagios/plugins
+
+- name: check_minifirewall is installed
+  copy:
+    src: check_minifirewall
+    dest: /usr/local/lib/nagios/plugins/check_minifirewall
+    force: no
+    mode: "0755"
+    owner: root
+    group: staff
+
+- name: check_minifirewall is available for NRPE
+  lineinfile:
+    dest: /etc/nagios/nrpe.d/evolix.cfg
+    regexp: 'command\[check_minifirewall\]'
+    line: 'command[check_minifirewall]=sudo /usr/local/lib/nagios/plugins/check_minifirewall'
+  notify: restart nagios-nrpe-server
+
+- name: sudo without password for nagios
+  lineinfile:
+    dest: /etc/sudoers.d/evolinux
+    regexp: 'check_minifirewall'
+    line: 'nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall'
+    insertafter: '^nagios'
+    validate: "visudo -cf %s"