diff --git a/README.rst b/README.rst
index ebc68f4cb5eb87bc68ab734ff8753daf36cd4036..7ed6e78d52d5db7f7c500745f9f7d1a6b6f5d0bd 100644
--- a/README.rst
+++ b/README.rst
@@ -138,6 +138,15 @@ servers as the nameservers for zone delegation, and the other nodes
 are free to have dynamic membership.
 
 
+Firewalls
++++++++++
+
+The users should be able to reach ports 53/tcp, 53/udp, 80/tcp and
+8000/tcp on all nodes. Nodes should be able to reach 4001/tcp and
+4002/tcp on each other; these two ports can be public if you've set up
+X509-based authentication to etcd.
+
+
 Instrumentation
 +++++++++++++++