diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml
index dbbfe815b..658d24d44 100644
--- a/ansible/fatimage.yml
+++ b/ansible/fatimage.yml
@@ -27,13 +27,6 @@
   become: yes
   gather_facts: no
   tasks:
-    - name: Disable firewalld
-      # This is enabled on installation, which isn't what we want
-      systemd:
-        name: firewalld
-        state: stopped
-        enabled: false
-
     # - import_playbook: iam.yml
     - name: Install FreeIPA client
       import_role:
diff --git a/ansible/roles/firewalld/tasks/main.yml b/ansible/roles/firewalld/tasks/main.yml
index 7b6bf8db1..98a7aa732 100644
--- a/ansible/roles/firewalld/tasks/main.yml
+++ b/ansible/roles/firewalld/tasks/main.yml
@@ -1,15 +1,3 @@
 ---
 - import_tasks: install.yml
-
-- name: Apply filewalld configs
-  ansible.posix.firewalld: "{{ item }}"
-  notify: Restart filewalld
-  loop: "{{ firewalld_configs }}"
-
-- meta: flush_handlers
-
-- name: Ensure filewalld state
-  ansible.builtin.systemd:
-    name: firewalld
-    state: "{{ firewalld_state }}"
-    enabled: "{{ firewalld_enabled | default('yes' ) }}"
+- import_tasks: runtime.yml
diff --git a/ansible/roles/firewalld/tasks/runtime.yml b/ansible/roles/firewalld/tasks/runtime.yml
new file mode 100644
index 000000000..2c9ab59cc
--- /dev/null
+++ b/ansible/roles/firewalld/tasks/runtime.yml
@@ -0,0 +1,12 @@
+- name: Apply filewalld configs
+  ansible.posix.firewalld: "{{ item }}"
+  notify: Restart filewalld
+  loop: "{{ firewalld_configs }}"
+
+- meta: flush_handlers
+
+- name: Ensure filewalld state
+  ansible.builtin.systemd:
+    name: firewalld
+    state: "{{ firewalld_state }}"
+    enabled: "{{ firewalld_enabled | default(true) }}"
diff --git a/environments/common/inventory/group_vars/builder/defaults.yml b/environments/common/inventory/group_vars/builder/defaults.yml
index a9fde767c..70ae835d5 100644
--- a/environments/common/inventory/group_vars/builder/defaults.yml
+++ b/environments/common/inventory/group_vars/builder/defaults.yml
@@ -14,3 +14,5 @@ block_devices_configurations: [] # as volumes will not be attached to Packer bui
 mysql_state: stopped # as it tries to connect to real mysql node
 opensearch_state: stopped # avoid writing config+certs+db into image
 cuda_persistenced_state: stopped # probably don't have GPU in Packer build VMs
+firewalld_enabled: false # dnf install of firewalld enables it
+firewalld_state: stopped # dnf install of firewalld enables it