diff --git a/modules/nixos/base/security/firewall.nix b/modules/nixos/base/security/firewall.nix
index 0781c7f..1fe45c9 100644
--- a/modules/nixos/base/security/firewall.nix
+++ b/modules/nixos/base/security/firewall.nix
@@ -2,6 +2,12 @@
   networking.firewall = {
     enable = true;
 
+    allowedTCPPorts = [
+      22 # SSH
+      80
+      443
+    ];
+
     # dont respond to icmpv4 pings.
     allowPing = false;
   };