diff --git a/firewalld/Dockerfile b/firewalld/Dockerfile
new file mode 100644
index 0000000..69d743a
--- /dev/null
+++ b/firewalld/Dockerfile
@@ -0,0 +1,39 @@
+# Would it be too large to use fedora as base?
+FROM registry.fedoraproject.org/fedora:latest
+
+ENV VERSION=0 RELEASE=1 ARCH=X86_64
+
+LABEL com.redhat.component="firewalld" \
+      name="$FGC/firewalld" \
+      version="$VERSION" \
+      release="$RELEASE.$DISTTAG" \
+      architecture="$ARCH" \
+      usage="atomic install --system --system-package=no firewalld && systemctl start firewalld" \
+      summary="The firewalld as a system container." \
+      maintainer="Rui xin Bao <rubao@redhat.com>" \
+      atomic.type="system"
+
+RUN dnf install --setopt=tsflags=nodocs -y firewalld kmod && \
+    rpm -V firewalld kmod && \
+    dnf clean all && \
+    mkdir -p /exports/hostfs/var/log/ && \
+    mkdir -p /exports/hostfs/etc/{sysconfig,firewalld} && \
+    mkdir -p /exports/hostfs/usr/local/share/polkit-1/actions && \
+    mkdir -p /exports/hostfs/etc/dbus-1/system.d && \
+
+    cp /etc/sysconfig/firewalld /exports/hostfs/etc/sysconfig && \
+    # Copy all the polkit related policy file into a substitute folder '/usr/local/share' as other /usr parts are read only
+    cp /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.* /exports/hostfs/usr/local/share/polkit-1/actions && \
+    # Copy entire firewalld related configuration file into host
+    cp -r /etc/firewalld/* /exports/hostfs/etc/firewalld && \
+    # Copy the dbus configuration file into the host, as we are using host's dbus socket
+    cp /etc/dbus-1/system.d/FirewallD.conf /exports/hostfs/etc/dbus-1/system.d && \
+    # We need /var/log/firewalld for firewalld to write messages
+    touch /exports/hostfs/var/log/firewalld
+
+COPY run.sh /usr/bin/
+
+# System container files
+COPY tmpfiles.template service.template manifest.json config.json.template /exports/
+
+CMD ["/usr/bin/run.sh"]
diff --git a/firewalld/README.md b/firewalld/README.md
new file mode 100644
index 0000000..378cc06
--- /dev/null
+++ b/firewalld/README.md
@@ -0,0 +1,72 @@
+# firewalld 
+
+This is firewalld daemon as a system container.
+
+## Building the image from source:
+
+```
+# git clone https://github.com/projectatomic/atomic-system-containers
+# cd atomic-system-containers/firewalld
+# docker build -t firewalld .
+```
+
+## Running the system container, with the atomic CLI:
+
+Pull from registry into ostree:
+
+```
+# atomic pull --storage ostree $REGISTRY/firewalld
+```
+
+Or alternatively, pull from local docker:
+
+```
+# atomic pull --storage ostree docker:firewalld:latest
+```
+
+Install the container:
+
+Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file
+during installation. This flag will tell the atomic CLI to fall back to copying files to the
+host instead.
+
+```
+# atomic install --system --system-package=no --name=firewalld ($REGISTRY)/firewalld
+```
+
+Or alternatively, without specifying Registry, it will default to ostree image:
+
+```
+# atomic install --system --system-package=no --name=firewalld firewalld
+```
+
+Before you start the service, you need to reload dbus before it considers
+the new configuration. (make sure you are under root when execute this!)
+
+```
+killall -SIGHUP dbus-daemon
+```
+
+Start as a systemd service:
+
+```
+# systemctl start firewalld
+```
+
+Stopping the service
+
+```
+# systemctl stop firewalld
+```
+
+Removing the container
+
+```
+# atomic uninstall firewalld
+```
+
+Or alternatively, you can do:
+
+```
+# atomic containers delete firewalld
+``` 
diff --git a/firewalld/config.json.template b/firewalld/config.json.template
new file mode 100644
index 0000000..28f8b56
--- /dev/null
+++ b/firewalld/config.json.template
@@ -0,0 +1,339 @@
+{
+	"ociVersion": "1.0.0",
+		"process": {
+			"terminal": false,
+			"user": {
+				"uid": 0,
+				"gid": 0
+			},
+			"args": [
+				"/usr/bin/run.sh"
+			],
+			"env": [
+				"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+				"TERM=xterm",
+				"NAME=$NAME"
+			],
+			"cwd": "/",
+			"capabilities": {
+				"bounding": [
+					"CAP_CHOWN",
+					"CAP_FOWNER",
+					"CAP_FSETID",
+					"CAP_KILL",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETPCAP",
+					"CAP_LINUX_IMMUTABLE",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_NET_BROADCAST",
+					"CAP_NET_ADMIN",
+					"CAP_NET_RAW",
+					"CAP_IPC_LOCK",
+					"CAP_IPC_OWNER",
+					"CAP_SYS_MODULE",
+					"CAP_SYS_RAWIO",
+					"CAP_SYS_CHROOT",
+					"CAP_SYS_PTRACE",
+					"CAP_SYS_PACCT",
+					"CAP_SYS_ADMIN",
+					"CAP_SYS_BOOT",
+					"CAP_SYS_NICE",
+					"CAP_SYS_RESOURCE",
+					"CAP_SYS_TIME",
+					"CAP_SYS_TTY_CONFIG",
+					"CAP_MKNOD",
+					"CAP_LEASE",
+					"CAP_AUDIT_WRITE",
+					"CAP_AUDIT_CONTROL",
+					"CAP_SETFCAP",
+					"CAP_DAC_OVERRIDE",
+					"CAP_MAC_OVERRIDE",
+					"CAP_DAC_READ_SEARCH",
+					"CAP_MAC_ADMIN",
+					"CAP_SYSLOG",
+					"CAP_WAKE_ALARM",
+					"CAP_BLOCK_SUSPEND",
+					"CAP_AUDIT_READ"
+				],
+				"permitted": [
+					"CAP_CHOWN",
+					"CAP_FOWNER",
+					"CAP_FSETID",
+					"CAP_KILL",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETPCAP",
+					"CAP_LINUX_IMMUTABLE",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_NET_BROADCAST",
+					"CAP_NET_ADMIN",
+					"CAP_NET_RAW",
+					"CAP_IPC_LOCK",
+					"CAP_IPC_OWNER",
+					"CAP_SYS_MODULE",
+					"CAP_SYS_RAWIO",
+					"CAP_SYS_CHROOT",
+					"CAP_SYS_PTRACE",
+					"CAP_SYS_PACCT",
+					"CAP_SYS_ADMIN",
+					"CAP_SYS_BOOT",
+					"CAP_SYS_NICE",
+					"CAP_SYS_RESOURCE",
+					"CAP_SYS_TIME",
+					"CAP_SYS_TTY_CONFIG",
+					"CAP_MKNOD",
+					"CAP_LEASE",
+					"CAP_AUDIT_WRITE",
+					"CAP_AUDIT_CONTROL",
+					"CAP_SETFCAP",
+					"CAP_DAC_OVERRIDE",
+					"CAP_MAC_OVERRIDE",
+					"CAP_DAC_READ_SEARCH",
+					"CAP_MAC_ADMIN",
+					"CAP_SYSLOG",
+					"CAP_WAKE_ALARM",
+					"CAP_BLOCK_SUSPEND",
+					"CAP_AUDIT_READ"
+				],
+				"inheritable": [
+					"CAP_CHOWN",
+					"CAP_FOWNER",
+					"CAP_FSETID",
+					"CAP_KILL",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETPCAP",
+					"CAP_LINUX_IMMUTABLE",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_NET_BROADCAST",
+					"CAP_NET_ADMIN",
+					"CAP_NET_RAW",
+					"CAP_IPC_LOCK",
+					"CAP_IPC_OWNER",
+					"CAP_SYS_MODULE",
+					"CAP_SYS_RAWIO",
+					"CAP_SYS_CHROOT",
+					"CAP_SYS_PTRACE",
+					"CAP_SYS_PACCT",
+					"CAP_SYS_ADMIN",
+					"CAP_SYS_BOOT",
+					"CAP_SYS_NICE",
+					"CAP_SYS_RESOURCE",
+					"CAP_SYS_TIME",
+					"CAP_SYS_TTY_CONFIG",
+					"CAP_MKNOD",
+					"CAP_LEASE",
+					"CAP_AUDIT_WRITE",
+					"CAP_AUDIT_CONTROL",
+					"CAP_SETFCAP",
+					"CAP_DAC_OVERRIDE",
+					"CAP_MAC_OVERRIDE",
+					"CAP_DAC_READ_SEARCH",
+					"CAP_MAC_ADMIN",
+					"CAP_SYSLOG",
+					"CAP_WAKE_ALARM",
+					"CAP_BLOCK_SUSPEND",
+					"CAP_AUDIT_READ"
+				],
+				"effective": [
+					"CAP_CHOWN",
+					"CAP_FOWNER",
+					"CAP_FSETID",
+					"CAP_KILL",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETPCAP",
+					"CAP_LINUX_IMMUTABLE",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_NET_BROADCAST",
+					"CAP_NET_ADMIN",
+					"CAP_NET_RAW",
+					"CAP_IPC_LOCK",
+					"CAP_IPC_OWNER",
+					"CAP_SYS_MODULE",
+					"CAP_SYS_RAWIO",
+					"CAP_SYS_CHROOT",
+					"CAP_SYS_PTRACE",
+					"CAP_SYS_PACCT",
+					"CAP_SYS_ADMIN",
+					"CAP_SYS_BOOT",
+					"CAP_SYS_NICE",
+					"CAP_SYS_RESOURCE",
+					"CAP_SYS_TIME",
+					"CAP_SYS_TTY_CONFIG",
+					"CAP_MKNOD",
+					"CAP_LEASE",
+					"CAP_AUDIT_WRITE",
+					"CAP_AUDIT_CONTROL",
+					"CAP_SETFCAP",
+					"CAP_DAC_OVERRIDE",
+					"CAP_MAC_OVERRIDE",
+					"CAP_DAC_READ_SEARCH",
+					"CAP_MAC_ADMIN",
+					"CAP_SYSLOG",
+					"CAP_WAKE_ALARM",
+					"CAP_BLOCK_SUSPEND",
+					"CAP_AUDIT_READ"
+				],
+				"ambient": [
+					"CAP_CHOWN",
+					"CAP_FOWNER",
+					"CAP_FSETID",
+					"CAP_KILL",
+					"CAP_SETGID",
+					"CAP_SETUID",
+					"CAP_SETPCAP",
+					"CAP_LINUX_IMMUTABLE",
+					"CAP_NET_BIND_SERVICE",
+					"CAP_NET_BROADCAST",
+					"CAP_NET_ADMIN",
+					"CAP_NET_RAW",
+					"CAP_IPC_LOCK",
+					"CAP_IPC_OWNER",
+					"CAP_SYS_MODULE",
+					"CAP_SYS_RAWIO",
+					"CAP_SYS_CHROOT",
+					"CAP_SYS_PTRACE",
+					"CAP_SYS_PACCT",
+					"CAP_SYS_ADMIN",
+					"CAP_SYS_BOOT",
+					"CAP_SYS_NICE",
+					"CAP_SYS_RESOURCE",
+					"CAP_SYS_TIME",
+					"CAP_SYS_TTY_CONFIG",
+					"CAP_MKNOD",
+					"CAP_LEASE",
+					"CAP_AUDIT_WRITE",
+					"CAP_AUDIT_CONTROL",
+					"CAP_SETFCAP",
+					"CAP_DAC_OVERRIDE",
+					"CAP_MAC_OVERRIDE",
+					"CAP_DAC_READ_SEARCH",
+					"CAP_MAC_ADMIN",
+					"CAP_SYSLOG",
+					"CAP_WAKE_ALARM",
+					"CAP_BLOCK_SUSPEND",
+					"CAP_AUDIT_READ"
+				]
+			},
+			"noNewPrivileges": false
+		},
+		"root": {
+			"path": "rootfs",
+			"readonly": true
+		},
+                "hooks": {},
+		"linux": {
+			"resources": {
+				"devices": [
+					{
+						"allow": true,
+						"access": "rwm"
+					}
+				]
+			},
+			"namespaces": [
+				{
+					"type": "mount"
+				}
+			]
+		},
+		"mounts": [
+		{
+			"destination": "/proc",
+			"type": "proc",
+			"source": "proc"
+		},
+		{
+			"type": "bind",
+			"source": "/dev",
+			"destination": "/dev",
+			"options": [
+				"rbind",
+				"rw",
+				"mode=755"
+			]
+		},
+		{
+			"destination": "/sys",
+			"type": "bind",
+			"source": "/sys",
+			"options": [
+				"rbind",
+				"rw",
+				"mode=755"
+			]
+		},
+		{
+			"type": "bind",
+			"source": "/etc/firewalld",
+			"destination": "/etc/firewalld",
+			"options": [
+				"rbind",
+				"rw",
+				"mode=755"
+			]
+		},
+		{
+			"type": "bind",
+			"source": "/etc/sysconfig",
+			"destination": "/etc/sysconfig",
+			"options": [
+				"rbind",
+				"rw",
+				"mode=755"
+			]
+		},
+		{
+			"destination": "/etc/resolv.conf",
+			"type": "bind",
+			"source": "/etc/resolv.conf",
+			"options": [
+				"ro",
+				"rbind",
+				"rprivate"
+			]
+		},
+		{
+			"type": "bind",
+			"source": "${RUN_DIRECTORY}/dbus/system_bus_socket",
+			"destination": "/var/run/dbus/system_bus_socket",
+			"options": [
+				"ro",
+				"rbind",
+				"rprivate"
+			]
+		},
+		{
+			"type": "bind",
+			"source": "${RUN_DIRECTORY}/${NAME}",
+			"destination": "/run/firewalld",
+			"options": [
+				"rbind",
+				"rw",
+				"mode=755"
+			]
+		},
+		{
+			"type": "bind",
+			"source": "/var/log/firewalld",
+			"destination": "/var/log/firewalld",
+			"options": [
+				"rbind",
+				"rw",
+				"mode=755"
+			]
+		},
+		{
+			"type": "bind",
+			"source": "/usr/lib/modules",
+			"destination": "/usr/lib/modules",
+			"options": [
+				"rbind",
+				"ro",
+				"rslave"
+			]
+		}
+	]
+}
diff --git a/firewalld/manifest.json b/firewalld/manifest.json
new file mode 100644
index 0000000..0445027
--- /dev/null
+++ b/firewalld/manifest.json
@@ -0,0 +1,3 @@
+{
+    "version": "1.0"
+}
diff --git a/firewalld/run.sh b/firewalld/run.sh
new file mode 100755
index 0000000..dc84210
--- /dev/null
+++ b/firewalld/run.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+OPTIONS="--nofork --nopid"
+. /etc/sysconfig/firewalld
+exec /usr/sbin/firewalld $OPTIONS
diff --git a/firewalld/service.template b/firewalld/service.template
new file mode 100644
index 0000000..3771a34
--- /dev/null
+++ b/firewalld/service.template
@@ -0,0 +1,23 @@
+[Unit]
+Description=firewalld - dynamic firewall daemon
+Before=network-pre.target
+Wants=network-pre.target
+After=dbus.service
+After=polkit.service
+Requires=dbus.service
+Wants=polkit.service
+Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
+
+[Service]
+EnvironmentFile=-/etc/sysconfig/firewalld
+ExecStart=$EXEC_START
+ExecStop=$EXEC_STOP
+Restart=on-failure
+WorkingDirectory=$DESTDIR
+RuntimeDirectory=${NAME}
+Type=dbus
+BusName=org.fedoraproject.FirewallD1
+KillMode=none
+
+[Install]
+WantedBy=multi-user.target
diff --git a/firewalld/tmpfiles.template b/firewalld/tmpfiles.template
new file mode 100644
index 0000000..e69de29