diff --git a/nixos/doc/manual/release-notes.xml b/nixos/doc/manual/release-notes.xml
index 8899cbb2149..68feb80e090 100644
--- a/nixos/doc/manual/release-notes.xml
+++ b/nixos/doc/manual/release-notes.xml
@@ -21,10 +21,6 @@ enhancements are the following:
   <listitem><para>NixOS is now based on Glibc 2.18 and GCC
   4.8.</para></listitem>
 
-  <listitem><para>The mysql55 service has been merged into the
-  mysql service, which no longer sets a default for the 'package
-  option.</para></listitem>
-
 </itemizedlist>
 
 </para>
@@ -34,10 +30,24 @@ following incompatible changes:
 
 <itemizedlist>
 
+  <listitem><para>The firewall is now enabled by default. If you don’t
+  want this, you need to disable it explicitly:
+
+<programlisting>
+networking.firewall.enable = false;
+</programlisting>
+
+  </para></listitem>
+
   <listitem><para>The option
   <option>boot.loader.grub.memtest86</option> has been renamed to
   <option>boot.loader.grub.memtest86.enable</option>.</para></listitem>
 
+  <listitem><para>The <literal>mysql55</literal> service has been
+  merged into the <literal>mysql</literal> service, which no longer
+  sets a default for the option
+  <option>services.mysql.package</option>.</para></listitem>
+
 </itemizedlist>
 
 </para>
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index 07e05fa6d05..62d92ba50e1 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -54,7 +54,7 @@ in
 
     networking.firewall.enable = mkOption {
       type = types.bool;
-      default = false;
+      default = true;
       description =
         ''
           Whether to enable the firewall.  This is a simple stateful