diff --git a/nixos/hosts/nuc-server/firewall.nix b/nixos/hosts/nuc-server/firewall.nix
new file mode 100644
index 00000000..6ef99846
--- /dev/null
+++ b/nixos/hosts/nuc-server/firewall.nix
@@ -0,0 +1,21 @@
+{ ... }: {
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        53   # DNS
+        80    # HTTP
+        443   # HTTPS
+      ];
+      interfaces = {
+        tailscale0= { 
+          allowedTCPPorts = [
+            53   # DNS
+            80    # HTTP
+            443   # HTTPS
+          ];
+        };
+      };
+    };
+  };
+}