diff --git a/REFERENCE.md b/REFERENCE.md
index 1a8f89f6..0caf1de0 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -48,6 +48,7 @@ and Manager Daemons (MGR).
 * [`nftables::rules::out::hkp`](#nftables--rules--out--hkp): allow outgoing hkp connections to gpg keyservers
 * [`nftables::rules::out::http`](#nftables--rules--out--http): manage out http
 * [`nftables::rules::out::https`](#nftables--rules--out--https): manage out https
+* [`nftables::rules::out::icinga2`](#nftables--rules--out--icinga2): allow outgoing icinga2
 * [`nftables::rules::out::icmp`](#nftables--rules--out--icmp): control outbound icmp packages
 * [`nftables::rules::out::igmp`](#nftables--rules--out--igmp): allow outgoing IGMP messages
 * [`nftables::rules::out::imap`](#nftables--rules--out--imap): allow outgoing imap
@@ -1013,6 +1014,24 @@ manage out http
 
 manage out https
 
+### <a name="nftables--rules--out--icinga2"></a>`nftables::rules::out::icinga2`
+
+allow outgoing icinga2
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::out::icinga2` class:
+
+* [`ports`](#-nftables--rules--out--icinga2--ports)
+
+##### <a name="-nftables--rules--out--icinga2--ports"></a>`ports`
+
+Data type: `Array[Stdlib::Port,1]`
+
+icinga2 ports
+
+Default value: `[5665]`
+
 ### <a name="nftables--rules--out--icmp"></a>`nftables::rules::out::icmp`
 
 control outbound icmp packages
diff --git a/manifests/rules/out/icinga2.pp b/manifests/rules/out/icinga2.pp
new file mode 100644
index 00000000..bf638ea7
--- /dev/null
+++ b/manifests/rules/out/icinga2.pp
@@ -0,0 +1,10 @@
+# @summary allow outgoing icinga2
+# @param ports icinga2 ports
+class nftables::rules::out::icinga2 (
+  Array[Stdlib::Port,1] $ports = [5665],
+) {
+  nftables::rule {
+    'default_out-icinga2':
+      content => "tcp dport {${join($ports,', ')}} accept",
+  }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
index 7b7b8f92..0c30931b 100644
--- a/spec/acceptance/all_rules_spec.rb
+++ b/spec/acceptance/all_rules_spec.rb
@@ -107,6 +107,7 @@ class { 'nftables':
       include nftables::rules::out::mldv2
       include nftables::rules::out::mdns
       include nftables::rules::out::ssdp
+      include nftables::rules::out::icinga2
       include nftables::services::dhcpv6_client
       include nftables::services::openafs_client
       $config_path = $facts['os']['family'] ? {
diff --git a/spec/classes/rules/out/icinga2_spec.rb b/spec/classes/rules/out/icinga2_spec.rb
new file mode 100644
index 00000000..37abfe34
--- /dev/null
+++ b/spec/classes/rules/out/icinga2_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::out::icinga2' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {5665} accept') }
+      end
+
+      context 'with ports set' do
+        let(:params) do
+          {
+            ports: [55, 60],
+          }
+        end
+
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_out-icinga2').with_content('tcp dport {55, 60} accept') }
+      end
+    end
+  end
+end