diff --git a/roles/vmhost/handlers/main.yml b/roles/vmhost/handlers/main.yml
new file mode 100644
index 0000000..adf5c93
--- /dev/null
+++ b/roles/vmhost/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: save firewalld configuration
+  command: firewall-cmd --runtime-to-permanent
diff --git a/roles/vmhost/tasks/main.yml b/roles/vmhost/tasks/main.yml
index 1053782..310c052 100644
--- a/roles/vmhost/tasks/main.yml
+++ b/roles/vmhost/tasks/main.yml
@@ -61,3 +61,11 @@
     name: '{{ item.name }}'
     autostart: true
   with_items: '{{ libvirt_networks }}'
+
+- name: ensure libvirtd migration port is allowed in the firewall
+  firewalld:
+    port=49152/tcp
+    permanent=no
+    immediate=yes
+    state=enabled
+  notify: save firewalld configuration