diff --git a/security/firewall.md b/security/firewall.md
index 48c82c56..d5c5bc75 100644
--- a/security/firewall.md
+++ b/security/firewall.md
@@ -99,6 +99,21 @@ default Qubes installation):
 
 ` qvm-prefs sys-firewall -s netvm sys-net `
 
+Network service qubes
+--------------------------------------
+Qubes does not support running any networking services (e.g. VPN, local DNS server, IPS, ...) directly in a qube that is used to run the Qubes firewall service (usually sys-firewall) for good reasons. In particular if one wants to ensure proper functioning of the Qubes firewall one should not not tinker with iptables or nftables rules in such qubes.
+
+Instead, one should deploy a network infrastructure such as
+~~~
+sys-net <--> sys-firewall-1 <--> network service qube <--> sys-firewall-2 <--> [client qubes]
+~~~
+Thereby sys-firewall-1 is only needed if one has client qubes connected there as well or wants to manage the traffic of the local network service qube. The sys-firewall-2 proxy ensures that:
+1. Firewall changes done in the network service qube cannot render the Qubes firewall ineffective.
+1. Changes to the Qubes firewall by the Qubes maintainers cannot lead to unwanted information leakage in combination with user rules deployed in the network service qube.
+1. A compromise of the network service qube does not compromise the Qubes firewall.
+
+For the VPN service please also have a look at the [VPN documentation](/doc/vpn).
+
 Enabling networking between two qubes
 --------------------------------------