diff --git a/modules/networking/firewall.nix b/modules/networking/firewall.nix
index 4f63b8d..e0c177f 100644
--- a/modules/networking/firewall.nix
+++ b/modules/networking/firewall.nix
@@ -1,14 +1,29 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
+
+let
+  trustedSubnets = [ "192.168.27.0/24" "10.89.0.0/16" ]
+    ++ lib.optional (config.numbus.networking.networkSubnet != "") config.numbus.networking.networkSubnet;
+  trustedSubnetsStr = lib.concatStringsSep ", " trustedSubnets;
+in
 
 {
   config = {
     networking.nftables.enable = true;
+    networking.nftables.tables."numbus-filter" = {
+      family = "inet";
+      content = ''
+        chain input {
+          type filter hook input priority -10; policy accept;
+          tcp dport { 53, 80, 443 } ip saddr != { ${trustedSubnetsStr} } drop
+          udp dport { 53, 443 } ip saddr != { ${trustedSubnetsStr} } drop
+        }
+      '';
+    };
     networking.firewall = {
       enable = true;
       allowPing = true;
       allowedTCPPorts = [ 53 80 443 ];
       allowedUDPPorts = [ 53 443 ];
-      interfaces."*".allowedTCPPorts = [ 443 ];
     };
   };
 }
\ No newline at end of file