diff --git a/hosts/Alaska/default.nix b/hosts/Alaska/default.nix
index e33c162..602173a 100644
--- a/hosts/Alaska/default.nix
+++ b/hosts/Alaska/default.nix
@@ -9,6 +9,7 @@
     ./configuration.nix
     ./hardware-configuration.nix
     ./modules/dnsmasq.nix
+    ./modules/firewall.nix
     ./modules/forgejo.nix
     ./modules/headscale.nix
     ./modules/msmtp.nix
@@ -74,10 +75,6 @@
       # Lazy IPv6 connectivity for the container
       enableIPv6 = true;
     };
-    firewall = {
-        enable = true;
-        allowedTCPPorts = [80 443 3001 5432]; # port 3001 opened to allow git traffic on the local netword
-      };
   };
 
   services.jellyfin = {
diff --git a/hosts/Alaska/modules/firewall.nix b/hosts/Alaska/modules/firewall.nix
new file mode 100644
index 0000000..c0edb27
--- /dev/null
+++ b/hosts/Alaska/modules/firewall.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ...}:
+
+let
+in
+{
+  networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [80 443 5432];
+
+      extraCommands = with pkgs.lib; ''
+        # ${pkgs.nftables}/bin/nft -f - <<EOF
+
+        # EOF
+        ${pkgs.nftables}/bin/nft insert rule filter nixos-fw ip saddr 100.64.0.0-100.64.255.255 iifname "enp2s0" counter
+      '';
+  }
+}
diff --git a/hosts/Alaska/modules/forgejo.nix b/hosts/Alaska/modules/forgejo.nix
index 9d4cea2..ad8444b 100644
--- a/hosts/Alaska/modules/forgejo.nix
+++ b/hosts/Alaska/modules/forgejo.nix
@@ -7,6 +7,10 @@ let
   };
 in
 {
+  networking.firewall = {
+    allowedTCPPorts = [3001];
+  }
+
   system.activationScripts.copyStuff = "cp -r ${../../../rsrcs/giteaCustomDir}/. /Aurora/Forgejo/custom";
   system.activationScripts.copyTheme = "mkdir -p /Aurora/Forgejo/custom/public/assets/css && cp ${palenight}/dist/theme-palenight.css /Aurora/Forgejo/custom/public/assets/css/";