{
  # Enable using nftables instead of iptables
  networking.nftables.enable = true;
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      25
      80
      143
      179
      389
      443
      465
      587
      636
      993
      4130
      4190
      6900
      8000
    ];
    allowedUDPPorts = [
      80
      636
      4367
      6900
      34197
    ];
    allowedUDPPortRanges = [
      {
        from = 42000;
        to = 52000;
      }
    ];
    trustedInterfaces = [
      "wg0"
    ];
    extraForwardRules = ''
      meta iifname "wg42_*" meta oifname "wg42_*" accept
      meta iifname tailscale0 meta oifname "wg42_*" accept
      meta iifname "wg42_*" meta oifname tailscale0  tcp dport 22 accept
    '';
  };
}