diff --git a/ansible/group_vars/all/bifrost b/ansible/group_vars/all/bifrost
index b513671990d1ea8740955ff94dbb39e7ee40832a..c4c68c058086b25171ddd8c26d0ac8ae14046d21 100644
--- a/ansible/group_vars/all/bifrost
+++ b/ansible/group_vars/all/bifrost
@@ -11,6 +11,10 @@ kolla_bifrost_source_url: "https://opendev.org/openstack/bifrost"
 # {{ openstack_branch }}.
 kolla_bifrost_source_version: "{{ openstack_branch }}"
 
+# Whether Bifrost uses firewalld. Default value is false to avoid conflicting
+# with iptables rules configured on the seed host by Kayobe.
+kolla_bifrost_use_firewalld: False
+
 # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
 # services running on the seed host.
 kolla_bifrost_firewalld_internal_zone: trusted
diff --git a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
index cb1291f12608d6f6513da61d2df410f387b858d5..e8accf4f65daf33e8083fb5cc030235a17779c8d 100644
--- a/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
+++ b/ansible/roles/kolla-bifrost/templates/kolla/config/bifrost/bifrost.yml
@@ -64,6 +64,9 @@ ipa_ramdisk_upstream_checksum_url: "{{ kolla_bifrost_ipa_ramdisk_checksum_url }}
 # Algorithm of checksum of Ironic Python Agent (IPA) ramdisk image.
 ipa_ramdisk_upstream_checksum_algo: "{{ kolla_bifrost_ipa_ramdisk_checksum_algorithm }}"
 
+# Whether Bifrost uses firewalld.
+use_firewalld: "{{ kolla_bifrost_use_firewalld }}"
+
 # Firewalld zone used by Bifrost.
 firewalld_internal_zone: "{{ kolla_bifrost_firewalld_internal_zone }}"
 
diff --git a/etc/kayobe/bifrost.yml b/etc/kayobe/bifrost.yml
index 275d80bc859731a160809af1f875fe639c243647..0bfcec72691c70cc1b67bebfd897b66edc644788 100644
--- a/etc/kayobe/bifrost.yml
+++ b/etc/kayobe/bifrost.yml
@@ -11,6 +11,10 @@
 # {{ openstack_branch }}.
 #kolla_bifrost_source_version:
 
+# Whether Bifrost uses firewalld. Default value is false to avoid conflicting
+# with iptables rules configured on the seed host by Kayobe.
+#kolla_bifrost_use_firewalld:
+
 # Firewalld zone used by Bifrost. Default is "trusted", to avoid blocking other
 # services running on the seed host.
 #kolla_bifrost_firewalld_internal_zone:
diff --git a/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ad10a9c51bd1cafc34bf09ea82773d70b7079477
--- /dev/null
+++ b/releasenotes/notes/bifrost-use-firewalld-90b69e2ac6eead67.yaml
@@ -0,0 +1,16 @@
+---
+features:
+  - |
+    Adds a new ``kolla_bifrost_use_firewalld`` variable used to define whether
+    Bifrost uses firewalld, which is now disabled by default.
+upgrade:
+  - |
+    Bifrost is now configured to avoid using firewalld, to prevent conflicts
+    with firewall rules set by Kayobe on the seed host. The existing behaviour
+    can be retained by setting ``kolla_bifrost_use_firewalld`` to ``True`` in
+    ``bifrost.yml``.
+fixes:
+  - |
+    Prevents Bifrost from using firewalld to avoid conflicts with firewall
+    rules set by Kayobe on the seed host. See `story 2009252
+    <https://storyboard.openstack.org/#!/story/2009252>`__ for more details.