diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
index ff879a8097..b09d9ee355 100644
--- a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
+++ b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
@@ -23,9 +23,11 @@
       custom kernel that is not signed. Please disable SecureBoot on the
       target servers and try again.
 
-- name: Remove cloud-init
+- name: Remove cloud-init and ufw
   apt:
-    name: cloud-init
+    name:
+      - cloud-init
+      - ufw
     state: absent
     purge: yes
   tags:
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
index 9f01dffed7..559194582e 100644
--- a/molecule/testinfra/common/test_system_hardening.py
+++ b/molecule/testinfra/common/test_system_hardening.py
@@ -173,6 +173,7 @@ def test_iptables_packages(host):
     firewall config across reboots.
     """
     assert host.package("iptables-persistent").is_installed
+    assert not host.package("ufw").is_installed
 
 
 def test_snapd_absent(host):
diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.service b/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.service
new file mode 100644
index 0000000000..c24a0f35bd
--- /dev/null
+++ b/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Remove ufw if installed
+ConditionPathExists=/usr/sbin/ufw
+
+[Service]
+Type=oneshot
+Environment="DEBIAN_FRONTEND=noninteractive"
+ExecStart=/usr/bin/apt-get purge --yes ufw
+User=root
diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.timer b/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.timer
new file mode 100644
index 0000000000..f5f69772ec
--- /dev/null
+++ b/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Remove ufw if installed
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=5m
+
+[Install]
+WantedBy=timers.target
diff --git a/securedrop/debian/rules b/securedrop/debian/rules
index 2f12ea154b..fb0cbdf652 100755
--- a/securedrop/debian/rules
+++ b/securedrop/debian/rules
@@ -78,6 +78,7 @@ override_dh_systemd_enable:
 	dh_systemd_enable --no-enable securedrop-submissions-today.service
 	dh_systemd_enable --no-enable securedrop-clean-tmp.service
 	dh_systemd_enable --no-enable securedrop-remove-pending-sources.service
+	dh_systemd_enable --no-enable securedrop-remove-ufw.service
 	dh_systemd_enable
 
 # This is basically the same as the enable stanza above, just whether the
@@ -86,4 +87,5 @@ override_dh_systemd_start:
 	dh_systemd_start --no-start securedrop-submissions-today.service
 	dh_systemd_start --no-start securedrop-clean-tmp.service
 	dh_systemd_start --no-start securedrop-remove-pending-sources.service
+	dh_systemd_start --no-start securedrop-remove-ufw.service
 	dh_systemd_start
diff --git a/securedrop/debian/securedrop-config.install b/securedrop/debian/securedrop-config.install
index ab397f789e..818f3739ed 100644
--- a/securedrop/debian/securedrop-config.install
+++ b/securedrop/debian/securedrop-config.install
@@ -1,2 +1,3 @@
 debian/config/etc /
+debian/config/lib /
 debian/config/opt /