diff --git a/hosts/yate/configuration.nix b/hosts/yate/configuration.nix
index 126d837..5e1f8a6 100644
--- a/hosts/yate/configuration.nix
+++ b/hosts/yate/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
 {
   imports =
@@ -91,6 +91,52 @@
     };
   };
 
+  networking.firewall.enable = false;
+  networking.nftables = {
+    enable = true;
+    ruleset = let
+        tcpPorts = lib.concatStringsSep ", " (map toString config.networking.firewall.allowedTCPPorts);
+    in ''
+      table inet filter {
+        chain input {
+          type filter hook input priority 0; policy drop;
+
+          iifname lo accept
+          ct state {established, related} accept
+
+          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+          ip protocol icmp icmp type echo-request accept
+
+          tcp dport 22 accept
+          tcp dport { ${tcpPorts} } accept
+
+          iif {vlan132, vlan133} accept
+
+          udp dport 5060 ip saddr { 10.42.10.9 } accept
+          udp dport 5060 ip6 saddr { 2a01:4f8:1c0c:8221::9 } accept
+        }
+
+        chain forward {
+          type filter hook forward priority 0; policy drop;
+
+          ct state {established, related} accept
+          iif {vlan132, vlan133} accept
+
+          ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+          ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+
+          ip6 nexthdr icmpv6 icmpv6 type echo-request accept
+          ip protocol icmp icmp type echo-request accept
+
+          ip saddr 10.42.201.0/24 accept
+        }
+      }
+    '';
+  };
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave