diff --git a/pinecrypt/server/cli.py b/pinecrypt/server/cli.py
index c06678e..b027388 100644
--- a/pinecrypt/server/cli.py
+++ b/pinecrypt/server/cli.py
@@ -267,7 +267,8 @@ def pinecone_provision():
         yield ":INPUT ACCEPT [0:0]"
         yield ":OUTPUT ACCEPT [0:0]"
         yield ":POSTROUTING ACCEPT [0:0]"
-        yield "-A POSTROUTING -j MASQUERADE"
+        if not const.DISABLE_MASQUERADE:
+            yield "-A POSTROUTING -j MASQUERADE"
         yield "COMMIT"
 
     with open("/tmp/rules4", "w") as fh:
diff --git a/pinecrypt/server/const.py b/pinecrypt/server/const.py
index d334675..c698e76 100644
--- a/pinecrypt/server/const.py
+++ b/pinecrypt/server/const.py
@@ -177,4 +177,5 @@ SESSION_AGE = 3600
 
 SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db")
 
-DISABLE_FIREWALL = os.getenv("DISABLE_FIREWALL") == "True" if os.getenv("DISABLE_FIREWALL") else False
+DISABLE_FIREWALL = os.getenv("DISABLE_FIREWALL")
+DISABLE_MASQUERADE = os.getenv("DISABLE_MASQUERADE")