diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml
index d9adb3b..fd43e5a 100644
--- a/roles/ssh/defaults/main.yml
+++ b/roles/ssh/defaults/main.yml
@@ -24,3 +24,6 @@
 #   comment - A comment for the authorized_keys file about the key
 #   ssh_key - A path to the ssh public key file that should be added
 ssh_authorized_keys: []
+
+# Should the SSH ports be opened via firewalld?
+ssh_open_ports: true
diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml
new file mode 100644
index 0000000..9aac13f
--- /dev/null
+++ b/roles/ssh/handlers/main.yml
@@ -0,0 +1,24 @@
+---
+# Handlers file for the ssh role
+
+# Infrastructure
+# Ansible instructions to deploy the infrastructure
+# Copyright (C) 2020       Saibotk
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: Reload firewalld
+  command: "firewall-cmd --reload"
+  become: true
+
+
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
index c2c80a2..81aec0b 100644
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@@ -17,6 +17,17 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+- name: Ensure SSH ports are opened.
+  command: "firewall-cmd --permanent --service=ssh --add-port={{ item }}/tcp"
+  become: true
+  changed_when: 'firewalld_direct_result.stderr is defined and "ALREADY_ENABLED" not in firewalld_direct_result.stderr'
+  with_items: "{{ ssh_server_ports }}"
+  when:
+    - ssh_server_ports is defined
+    - ssh_open_ports
+  notify:
+    - Reload firewalld
+
 - name: Create users
   user:
     name: "{{ item.user }}"
diff --git a/ssh.yml b/ssh.yml
index 26da959..65dff25 100644
--- a/ssh.yml
+++ b/ssh.yml
@@ -18,19 +18,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 - hosts: ssh
-  pre_tasks:
-    - name: Ensure SSH ports are opened.
-      command: "firewall-cmd --permanent --service=ssh --add-port={{ item }}/tcp"
-      register: firewalld_direct_result
-      become: true
-      changed_when: 'firewalld_direct_result.stderr is defined and "ALREADY_ENABLED" not in firewalld_direct_result.stderr'
-      with_items: "{{ ssh_server_ports }}"
-      when: ssh_server_ports is defined
-
-    - name: Reload firewalld if needed.
-      command: "firewall-cmd --reload"
-      become: true
-      when: firewalld_direct_result.changed
   roles:
     - role: ssh
     - role: dev-sec.ssh-hardening