diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index f08e7c107277d6b2f78b95e3e779c0ce5feccd4b..21d34e41ae8d579d716174c1124a4568673165d1 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -49,4 +49,4 @@
     - { role: archwiki, tags: ["archwiki"] }
   tasks:
     - name: open firewall hole for hefurd
-      firewalld: port=6969/tcp permanent=true state=enabled
+      firewalld: port=6969/tcp permanent=true state=enabled immediate=yes
diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 45d0614e260a8122fad475b153a0a14e901abc70..5c7653c7fc574043920bacdaddff7f09ae580739 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -225,7 +225,7 @@
   service: name=rsyncd.socket enabled=yes state=started
 
 - name: open firewall holes for rsync
-  firewalld: service=rsyncd permanent=true state=enabled
+  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
   when: configure_firewall
 
 - name: configure svnserve
@@ -235,7 +235,7 @@
   service: name=svnserve enabled=yes state=started
 
 - name: open firewall holes for svnserve
-  firewalld: port=3690/tcp permanent=true state=enabled
+  firewalld: port=3690/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
 
 - name: install systemd timers
diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index 99b43e15b181a562edede00e42d48633ca5597b5..af832d7162d2db54e1caaab07a704156b6398341 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -18,7 +18,7 @@
   service: name=dovecot enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service={{item}} permanent=true state=enabled
+  firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:
     - pop3
     - pop3s
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
index 29f72724a711033d4470387eabdde42b69ffdb26..dee4ae4cad272d4cc3e8a40e3d2ce917cecdda4e 100644
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -48,6 +48,6 @@
   # the source addresses here could be tightened up more, but it's far better
   # than having mariadb open to the world
 - name: open firewall holes to other infrastructure hosts
-  firewalld: service=mysql permanent=true state="{{'disabled' if mariadb_skip_networking else 'enabled'}}" source={{item}}
+  firewalld: service=mysql permanent=true state="{{'disabled' if mariadb_skip_networking else 'enabled'}}" source={{item}} immediate=yes
   with_items: "{{ groups['all'] }}"
   when: configure_firewall
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index d2404689c3cb51dbf4819cd4adb8419110e83c52..541594d39b8af331f1a1a029c99a097340536a6a 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -67,7 +67,7 @@
   service: name=nginx enabled=yes
 
 - name: open firewall holes
-  firewalld: service={{item}} permanent=true state=enabled
+  firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:
     - http
     - https
diff --git a/roles/oidentd/tasks/main.yml b/roles/oidentd/tasks/main.yml
index ea499dadc52da108161e24e487b63a44759d8bc1..da16e65a10a6ccbac1d8729a6b757f391719ba72 100644
--- a/roles/oidentd/tasks/main.yml
+++ b/roles/oidentd/tasks/main.yml
@@ -12,5 +12,5 @@
     - oidentd.socket
 
 - name: open firewall holes
-  firewalld: port=113/tcp permanent=true state=enabled
+  firewalld: port=113/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index 69dbdf0d1b6777a2cb25f79a5114ca5c78eb8352..1b9da151c13bb3db1f4a6ebbee86219626f8574e 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -86,7 +86,7 @@
     - compat_maps.db
 
 - name: open firewall holes
-  firewalld: service={{item}} permanent=true state=enabled
+  firewalld: service={{item}} permanent=true state=enabled immediate=yes
   with_items:
     - smtp
     - smtp-submission
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 33578bc63afbd698ba72bc93c47315a4620680f5..5254a2958cc2af0e40ab01a95aea3517aa415b3d 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -51,6 +51,6 @@
   when: postgres_ssl == 'on'
 
 - name: open firewall holes to known postgresql clients
-  firewalld: service=postgresql permanent=true state=enabled source={{item}}
+  firewalld: service=postgresql permanent=true state=enabled source={{item}} immediate=yes
   with_items: "{{ postgres_ssl_hosts }}"
   when: configure_firewall
diff --git a/roles/quassel/tasks/main.yml b/roles/quassel/tasks/main.yml
index 713f1f2feb7c1f0b11f6e3113195f51033a2f50c..2a7269f6ec63cb77b3748f41c03a8bbbf832d40a 100644
--- a/roles/quassel/tasks/main.yml
+++ b/roles/quassel/tasks/main.yml
@@ -63,5 +63,5 @@
     - clean-quassel.timer
 
 - name: open firewall holes
-  firewalld: port=4242/tcp permanent=true state=enabled
+  firewalld: port=4242/tcp permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index 03322775c48d072403101f9ac4ff4fc363650ccc..0bb89b28290cec513d59d29221ea6719160f0d3b 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -18,5 +18,5 @@
   service: name=sshd enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service=ssh permanent=true state=enabled
+  firewalld: service=ssh permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/syncrepo/tasks/main.yml b/roles/syncrepo/tasks/main.yml
index 1363560042fb5fecd185294c1d33a0eb8ba6183e..86317f6217eb96ce3446172b556f6d29e0c358b5 100644
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -45,5 +45,5 @@
   tags: ['nginx']
 
 - name: open firewall holes
-  firewalld: service=rsyncd permanent=true state=enabled
+  firewalld: service=rsyncd permanent=true state=enabled immediate=yes
   when: configure_firewall
diff --git a/roles/zabbix-agent/tasks/main.yml b/roles/zabbix-agent/tasks/main.yml
index 9523ea6e170485baedc5d2cd908b4f0123d083e3..af0c8dd0af9906f05af1de12948d1dfa5c1e85c1 100644
--- a/roles/zabbix-agent/tasks/main.yml
+++ b/roles/zabbix-agent/tasks/main.yml
@@ -63,5 +63,5 @@
   service: name=zabbix-agent enabled=yes state=started
 
 - name: open firewall holes
-  firewalld: service=zabbix-agent permanent=true state=enabled
+  firewalld: service=zabbix-agent permanent=true state=enabled immediate=yes
   when: configure_firewall