{
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [8000];
  services.ferm = {
    enable = true;
    config = ''
      domain ip table filter chain INPUT proto icmp ACCEPT;
      domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
      domain (ip ip6) table filter {
        chain INPUT {
          policy DROP;
          interface lo ACCEPT;
          interface tailscale0 ACCEPT;
          interface wg42_+ ACCEPT;
          interface wg0 ACCEPT;
          proto tcp dport (22 53 80 443 6900 8000 http https ) ACCEPT;
          proto udp dport (22 53 480:510 6900 8000 ) ACCEPT;
          proto tcp dport (179) ACCEPT;
          # dns
          proto (udp tcp) dport domain ACCEPT;
          mod state state (INVALID) DROP;
          mod state state (ESTABLISHED RELATED) ACCEPT;
        }
        chain OUTPUT {
          policy ACCEPT;
        }
        chain FORWARD {
          policy DROP;
          # allow intern routing and dn42 forwarding
          interface wg42_+ outerface wg42_+ ACCEPT;
          interface tailscale0 outerface tailscale0 ACCEPT;
          interface tailscale0 outerface wg42_+ ACCEPT;
          # but dn42 -> intern only with execptions
          interface wg42_+ outerface tailscale0 {
            proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind tailscale0 Interfaces
            proto tcp dport (ssh) ACCEPT;
            mod state state (ESTABLISHED) ACCEPT;
          }
        }
      }
    '';
  };
}