diff --git a/qubes/vm/__init__.py b/qubes/vm/__init__.py
index 21efa0d9..36112bc5 100644
--- a/qubes/vm/__init__.py
+++ b/qubes/vm/__init__.py
@@ -566,6 +566,9 @@ class BaseVM(qubes.PropertyHolder):
             subprocess.call(["sudo", "systemctl", "start",
                              "qubes-reload-firewall@%s.timer" % self.name])
 
+        # XXX any better idea? some arguments?
+        self.fire_event('firewall-changed')
+
         return True
 
     def has_firewall(self):
diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py
index 1819c7d8..7557358c 100644
--- a/qubes/vm/mix/net.py
+++ b/qubes/vm/mix/net.py
@@ -251,6 +251,9 @@ class NetVMMixin(object):
             # remove dead device
             self.app.vmm.xs.rm('', '{}/{}'.format(dev_basepath, dev))
 
+    def reload_firewall_for_vm(self, vm):
+        # TODO QubesOS/qubes-issues#1815
+        pass
 
     @qubes.events.handler('property-del:netvm')
     def on_property_del_netvm(self, event, name, old_netvm):
@@ -290,3 +293,21 @@ class NetVMMixin(object):
 
             # TODO documentation
             new_netvm.fire_event('net-domain-connect', self)
+            # FIXME handle in the above event?
+            new_netvm.reload_firewall_for_vm(self)
+
+    @qubes.events.handler('qdb-created')
+    def on_qdb_created(self, event):
+        # TODO: fill firewall QubesDB entries (QubesOS/qubes-issues#1815)
+        pass
+
+    # FIXME use event after creating Xen domain object, but before "resume"
+    @qubes.events.handler('domain-started')
+    def on_domain_started(self, event, **kwargs):
+        if self.netvm:
+            self.netvm.reload_firewall_for_vm(self)
+
+    @qubes.events.handler('firewall-changed')
+    def on_firewall_changed(self, event):
+        if self.is_running() and self.netvm:
+            self.netvm.reload_firewall_for_vm(self)