diff --git a/hosts/fondue/default.nix b/hosts/fondue/default.nix
index 9eb04d5..7d42262 100644
--- a/hosts/fondue/default.nix
+++ b/hosts/fondue/default.nix
@@ -14,6 +14,7 @@
     snapper
 
     ./filesystem.nix
+    ./firewall.nix
     ./kernel.nix
     ./networking.nix
 
diff --git a/hosts/fondue/firewall.nix b/hosts/fondue/firewall.nix
new file mode 100644
index 0000000..8c96e41
--- /dev/null
+++ b/hosts/fondue/firewall.nix
@@ -0,0 +1,3 @@
+{ ... }: {
+  networking.firewall.allowedTCPPorts = [ 22 80 ];
+}
diff --git a/modules/system/security.nix b/modules/system/security.nix
index abada90..b1e3260 100644
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -1,5 +1,9 @@
 { config, pkgs, ... }: {
-  networking.firewall.enable = false;
+  networking.firewall = {
+    enable = true;
+    allowedUDPPorts = [ 20100 ];
+    trustedInterfaces = [ "wg0" ];
+  };
 
   services.openssh = {
     enable = true;