{
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 8000 ];
    allowedUDPPorts = [ 34197 ];
  };
  services.ferm = {
    enable = true;
    config = ''
      domain ip table filter chain INPUT proto icmp ACCEPT;
      domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
      domain (ip ip6) table filter {
        chain INPUT {
          policy DROP;
          interface lo ACCEPT;
          interface tailscale0 ACCEPT;
          interface wg42_+ ACCEPT;
          interface wg0 ACCEPT;
          proto tcp dport (22 25 53 80 143 389 443 465 587 636 993 4190 6900 8000 http https 34197) ACCEPT;
          proto udp dport (22 25 53 480:510 636 4367 6900 8000 34197) ACCEPT;
          proto tcp dport (179) ACCEPT;
          # dns
          proto (udp tcp) dport domain ACCEPT;
          mod state state (INVALID) DROP;
          mod state state (ESTABLISHED RELATED) ACCEPT;
        }
        chain OUTPUT {
          policy ACCEPT;
        }
        chain FORWARD {
          policy DROP;
          # allow intern routing and dn42 forwarding
          interface wg42_+ outerface wg42_+ ACCEPT;
          interface tailscale0 outerface tailscale0 ACCEPT;
          interface tailscale0 outerface wg42_+ ACCEPT;
          # but dn42 -> intern only with execptions
          interface wg42_+ outerface tailscale0 {
            proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind tailscale0 Interfaces
            proto tcp dport (ssh) ACCEPT;
            mod state state (ESTABLISHED) ACCEPT;
          }
        }
      }
    '';
  };
}