diff --git a/firewalld/backend.sls b/firewalld/backend.sls
new file mode 100644
index 0000000..7190c89
--- /dev/null
+++ b/firewalld/backend.sls
@@ -0,0 +1,11 @@
+# == State: firewalld.backends
+#
+# This state ensures that /etc/firewalld/backends/ exists.
+#
+{% from "firewalld/map.jinja" import firewalld with context %}
+
+{%- if salt['pillar.get']('firewalld:installbackend') %}
+package_backend:
+  pkg.installed:
+    - name: {{ firewalld.backendpackage }}
+{%- endif %}
diff --git a/firewalld/defaults.yaml b/firewalld/defaults.yaml
index 84b32a6..3dfe739 100644
--- a/firewalld/defaults.yaml
+++ b/firewalld/defaults.yaml
@@ -3,5 +3,6 @@
 firewalld:
   package: firewalld
   ipsetpackage: ipset
+  backendpackage: nftables
   service: firewalld
   config: /etc/firewalld.conf
diff --git a/firewalld/files/firewalld.conf b/firewalld/files/firewalld.conf
index 52190d6..4f8872c 100644
--- a/firewalld/files/firewalld.conf
+++ b/firewalld/files/firewalld.conf
@@ -55,3 +55,24 @@ IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
 # Default: off
 LogDenied={{ firewalld.LogDenied|default('off') }}
 {%- endif %}
+{%- if firewalld.get('AutomaticHelpers', False) %}
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
+{%- endif %}
+{%- if firewalld.get('FirewallBackend', False) %}
+
+# FirewallBackend
+# Selects the firewall backend implementation.
+# Choices are:
+#	- nftables (default)
+#	- iptables (iptables, ip6tables, ebtables and ipset)
+FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
+{%- endif %}
diff --git a/firewalld/init.sls b/firewalld/init.sls
index f410bd5..23477e7 100644
--- a/firewalld/init.sls
+++ b/firewalld/init.sls
@@ -18,6 +18,7 @@ firewalld-unsupported:
 include:
   - firewalld.config
   - firewalld.ipsets
+  - firewalld.backend
   - firewalld.services
   - firewalld.zones
   - firewalld.direct
diff --git a/pillar.example b/pillar.example
index b1705ed..9979838 100644
--- a/pillar.example
+++ b/pillar.example
@@ -2,6 +2,7 @@
 firewalld:
   enabled: True
   ipset: True
+  installbackend: False
   default_zone: public
 
   services: