diff --git a/hosts/athame/nixos/default.nix b/hosts/athame/nixos/default.nix
index 1f0f5c47..cebbca43 100644
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@@ -54,17 +54,39 @@
     interface = "enp1s0";
   };
 
-  networking.firewall.allowedTCPPorts =
-    [ 22 80 443 5160 5060 8999 64738 1935 53589 5001 62969 ];
-  networking.firewall.allowedUDPPorts = [ 5160 5060 64738 ];
-  networking.firewall.allowedTCPPortRanges = [{
+  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
+    80 # http
+    443 # https
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedTCPPorts = [
+    80 # http
+    443 # https
+    5160 # asterisk
+    5060 # asterisk
+    8999 # syncplay
+    64738 # murmur
+    1935 # rtmp
+    53589 # taskwarrior
+    5001 # znc
+    62969 # yggdrasil
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedUDPPorts = [
+    5160 # asterisk
+    5060 # asterisk
+    64738 # murmur
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedTCPPortRanges = [{
     from = 10000;
     to = 20000;
-  }];
-  networking.firewall.allowedUDPPortRanges = [{
+  }]; # asterisk
+
+  networking.firewall.interfaces.enp1s0.allowedUDPPortRanges = [{
     from = 10000;
     to = 20000;
-  }];
+  }]; # asterisk
 
   deploy.tf.dns.records.kittywitch_net_athame = {
     tld = "kittywit.ch.";
diff --git a/hosts/samhain/nixos/default.nix b/hosts/samhain/nixos/default.nix
index ce2b2ae0..4712d7e2 100644
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@@ -104,14 +104,32 @@ in {
   networking.useDHCP = false;
   networking.interfaces.enp34s0.useDHCP = true;
   networking.firewall.allowPing = true;
-  networking.firewall.allowedTCPPorts =
-    [ 1935 80 443 445 139 9091 5000 32101 ]; # smb transmission mkchromecast
-  networking.firewall.allowedUDPPorts = [ 137 138 4010 ]; # smb scream
+
+  networking.firewall.interfaces.enp1s0.allowedTCPPorts = [
+    1935 # rtmp
+    80 # http
+    443 # https
+    445 # samba
+    139 # samba
+  ];
+
+  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
+    80 # http
+    443 # https
+    32101 # mpv
+  ];
+
+  networking.firewall.interfaces.enp1s0.allowedUDPPorts = [
+    137 # samba
+    138 # samba
+    4010 # scream
+  ];
+
   networking.firewall.allowedUDPPortRanges = [{
     from = 32768;
     to = 60999;
-  } # dnla
-    ];
+  }]; # dnla
+
   services.avahi.enable = true;
 
   hexchen.network = {