diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
index cbbf587b3..f557dd176 100644
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@@ -409,13 +409,24 @@
     in_interface: "{{ network_interface }}"
     jump: ACCEPT
   loop:
-    - 68
-    - 69
     - "{{ file_url_port }}"
     - "{{ file_url_port_tls }}"
     - 6385
   when: not use_firewalld | bool
 
+- name: "Explicitly permit DHCP and TFTP ports"
+  iptables:
+    chain: INPUT
+    action: insert
+    protocol: udp
+    destination_port: "{{ item }}"
+    in_interface: "{{ network_interface }}"
+    jump: ACCEPT
+  loop:
+    - 67
+    - 69
+  when: not use_firewalld | bool
+
 - name: "Enable services in firewalld"
   firewalld:
     service: "{{ item }}"
diff --git a/releasenotes/notes/ubuntu-ports-6e6c2fef3dc7bccb.yaml b/releasenotes/notes/ubuntu-ports-6e6c2fef3dc7bccb.yaml
new file mode 100644
index 000000000..158ebb631
--- /dev/null
+++ b/releasenotes/notes/ubuntu-ports-6e6c2fef3dc7bccb.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes the iptables rule for PXE on systems not using firewalld (use
+    port UDP/67 and UDP/69 instead of TCP/68 and TCP/69).