diff --git a/files/communishift/mcs/README.md b/files/communishift/mcs/README.md
new file mode 100644
index 0000000000..20cc85edd5
--- /dev/null
+++ b/files/communishift/mcs/README.md
@@ -0,0 +1,12 @@
+MachineConfig files
+-------------------
+
+The files in this directory are used as machineconfig files for communishift.
+Note that they're template files: some changes will need to be made before "oc create -f".
+
+Specifically:
+- The templates have two "DOBOTH" replacements. You want to create the file twice,
+  once with both DOBOTH cases replaced with "master" and once replaced with "worker".
+- The mc_firewall.yml.template has a bit FILL_IN_HERE. Run "./to_data.sh firewall.sh",
+  and copy the output from that script into the FILL_IN_HERE bit in the MC.
+  Then run that MC twice as per the previous point (master and worker).
diff --git a/files/communishift/mcs/firewall.sh b/files/communishift/mcs/firewall.sh
new file mode 100644
index 0000000000..0cea10a4c9
--- /dev/null
+++ b/files/communishift/mcs/firewall.sh
@@ -0,0 +1,10 @@
+set -xe
+
+iptables -N fedora-block-ports
+iptables -A fedora-block-ports -p tcp --dport 111 -j REJECT
+iptables -A fedora-block-ports -p udp --dport 111 -j REJECT
+iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.42 -j ACCEPT
+iptables -A fedora-block-ports -p tcp --dport 22623 --src 38.145.48.43 -j ACCEPT
+iptables -A fedora-block-ports -p tcp --dport 22623 -j REJECT
+
+iptables -I INPUT 1 -j fedora-block-ports
diff --git a/files/communishift/mcs/mc_chrony.yml.template b/files/communishift/mcs/mc_chrony.yml.template
new file mode 100644
index 0000000000..de69b39bc5
--- /dev/null
+++ b/files/communishift/mcs/mc_chrony.yml.template
@@ -0,0 +1,19 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  generation: 1
+  name: 50-chrony-DOBOTH
+  labels:
+    machineconfiguration.openshift.io/role: DOBOTH
+spec:
+  config:
+    ignition:
+      version: "2.2.0"
+    storage:
+      files:
+      - contents:
+          source: "data:,server%20cloud-noc01.cloud.fedoraproject.org%20port%20124"
+          verification: {}
+        filesystem: root
+        mode: 0644
+        path: /etc/chrony.conf
diff --git a/files/communishift/mcs/mc_firewall.yml.template b/files/communishift/mcs/mc_firewall.yml.template
new file mode 100644
index 0000000000..6dfc994716
--- /dev/null
+++ b/files/communishift/mcs/mc_firewall.yml.template
@@ -0,0 +1,32 @@
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  generation: 1
+  name: 40-firewall-DOBOTH
+  labels:
+    machineconfiguration.openshift.io/role: DOBOTH
+spec:
+  config:
+    ignition:
+      version: "2.2.0"
+    storage:
+      files:
+      - path: /etc/fedora_firewall.sh
+        mode: 0755
+        filesystem: root
+        contents:
+          source: "FILL_IN_HERE"
+    systemd:
+      units:
+      - name: "fedora_firewall.service"
+        enabled: true
+        contents: |-
+          [Unit]
+          Descrption=Block firewall ports for Fedora
+
+          [Service]
+          Type=oneshot
+          ExecStart=bash /etc/fedora_firewall.sh
+
+          [Install]
+          WantedBy=multi-user.target
diff --git a/files/communishift/mcs/to_data.sh b/files/communishift/mcs/to_data.sh
new file mode 100755
index 0000000000..0e27d3bab4
--- /dev/null
+++ b/files/communishift/mcs/to_data.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+echo -n "data:,"
+cat $1 | tr '\n' '*' | sed -e 's/*/%0A/g' | sed -e 's/ /%20/g'
+echo