{
  services.ferm = {
    enable = true;
    config = ''
        domain ip table filter chain INPUT proto icmp ACCEPT;
        domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT;
        domain (ip ip6) table filter {
          chain INPUT {
            policy DROP;
            interface lo ACCEPT;
            interface tailscale0 ACCEPT;
            interface intern-+ ACCEPT;
            interface wg0 ACCEPT;
            interface wg42_chris ACCEPT;
            interface wg42_lutoma ACCEPT;
            proto tcp dport (22 53 80 443 6900 8000 http https ) ACCEPT;
            proto udp dport (22 53 480:500 6900 8000 ) ACCEPT;
            proto tcp dport (179) ACCEPT;
            # dns
            proto (udp tcp) dport domain ACCEPT;
            mod state state (INVALID) DROP;
            mod state state (ESTABLISHED RELATED) ACCEPT;
          }
          chain OUTPUT {
            policy ACCEPT;
          }
          chain FORWARD {
            policy DROP;
            # allow intern routing and dn42 forwarding
            interface dn42-+ outerface dn42-+ ACCEPT;
            interface intern-+ outerface intern-+ ACCEPT;
            interface intern-+ outerface dn42-+ ACCEPT;
            # but dn42 -> intern only with execptions
            interface dn42-+ outerface intern-+ {
              proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind intern-+ Interfaces
              proto tcp dport (ssh) ACCEPT;
              mod state state (ESTABLISHED) ACCEPT;
            }
          }
        }
    '';
  };
}