diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index 3e93e11b2..3d366204a 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -83,7 +83,10 @@ class tripleo::firewall(
       'firewall_settings' => $firewall_post_extras,
     })
 
-    Class['tripleo::firewall::pre'] -> Class['tripleo::firewall::post']
+    Class['tripleo::firewall::pre']
+      -> Firewall<|tag == 'tripleo-firewall-rule'|>
+        -> Class['tripleo::firewall::post']
+
     Service<||> -> Class['tripleo::firewall::post']
 
     # Allow composable services to load their own custom
diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp
index 7b5f56391..820a0f6f1 100644
--- a/manifests/firewall/post.pp
+++ b/manifests/firewall/post.pp
@@ -39,11 +39,13 @@ class tripleo::firewall::post(
     tripleo::firewall::rule{ '998 log all':
       proto => 'all',
       jump  => 'LOG',
+      tag   => 'tripleo-firewall-postrule',
     }
     tripleo::firewall::rule{ '999 drop all':
       proto  => 'all',
       action => 'drop',
       extras => $firewall_settings,
+      tag    => 'tripleo-firewall-postrule',
     }
     notice('At this stage, all network traffic is blocked.')
   }
diff --git a/manifests/firewall/pre.pp b/manifests/firewall/pre.pp
index 39120d92d..db7540a2b 100644
--- a/manifests/firewall/pre.pp
+++ b/manifests/firewall/pre.pp
@@ -36,22 +36,26 @@ class tripleo::firewall::pre(
     proto  => 'all',
     state  => ['RELATED', 'ESTABLISHED'],
     extras => $firewall_settings,
+    tag    => 'tripleo-firewall-prerule',
   }
 
   tripleo::firewall::rule{ '001 accept all icmp':
     proto  => 'icmp',
     extras => $firewall_settings,
+    tag    => 'tripleo-firewall-prerule',
   }
 
   tripleo::firewall::rule{ '002 accept all to lo interface':
     proto   => 'all',
     iniface => 'lo',
     extras  => $firewall_settings,
+    tag     => 'tripleo-firewall-prerule',
   }
 
   tripleo::firewall::rule{ '003 accept ssh':
     dport  => '22',
     extras => $firewall_settings,
+    tag    => 'tripleo-firewall-prerule',
   }
 
   tripleo::firewall::rule{ '004 accept ipv6 dhcpv6':
@@ -59,5 +63,6 @@ class tripleo::firewall::pre(
     proto       => 'udp',
     state       => ['NEW'],
     destination => 'fe80::/64',
+    tag         => 'tripleo-firewall-prerule',
   }
 }
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index f1ea0c9d0..eecedb118 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -63,6 +63,12 @@
 #  (optional) The destination cidr associated to the rule.
 #  Defaults to undef
 #
+# [*tag*]
+#  (optional) tag to add to the resource definition.
+#  Used to order any rule that is not pre and post to happen in between
+#  pre and post rules
+#  Defaults to 'tripleo-firewall-rule'
+#
 #  [*extras*]
 #  (optional) Hash of any puppetlabs-firewall supported parameters.
 #  Defaults to {}
@@ -80,6 +86,7 @@ define tripleo::firewall::rule (
   $destination = undef,
   $extras      = {},
   $jump        = undef,
+  $tag         = 'tripleo-firewall-rule',
 ) {
 
   if $port == 'all' {
@@ -109,6 +116,7 @@ define tripleo::firewall::rule (
     'chain'       => $chain,
     'destination' => $destination,
     'jump'        => $jump_real,
+    'tag'         => $tag,
   }
   if $proto == 'icmp' {
     $ipv6 = {