diff --git a/modules/nixos/networking/default.nix b/modules/nixos/networking/default.nix
index fd8e958..64b4a41 100644
--- a/modules/nixos/networking/default.nix
+++ b/modules/nixos/networking/default.nix
@@ -6,7 +6,7 @@
   inherit (lib.modules) mkDefault mkForce;
 in {
   imports = [
-    #./firewall
+    ./firewall
 
     ./ssh.nix
     #./tailscale.nix
diff --git a/modules/nixos/networking/firewall/default.nix b/modules/nixos/networking/firewall/default.nix
new file mode 100644
index 0000000..bd89628
--- /dev/null
+++ b/modules/nixos/networking/firewall/default.nix
@@ -0,0 +1,30 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
+  imports = [
+    ./fail2ban.nix
+  ];
+
+  config = {
+    networking.firewall = {
+      enable = true;
+      package = pkgs.iptables;
+
+      allowedTCPPorts = [
+        443
+        80
+      ];
+      allowedUDPPorts = [];
+
+      # make a much smaller and easier to read log
+      logReversePathDrops = true;
+      logRefusedConnections = false;
+
+      checkReversePath = mkForce false;
+    };
+  };
+}
diff --git a/modules/nixos/networking/firewall/fail2ban.nix b/modules/nixos/networking/firewall/fail2ban.nix
new file mode 100644
index 0000000..2f09006
--- /dev/null
+++ b/modules/nixos/networking/firewall/fail2ban.nix
@@ -0,0 +1,65 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkMerge mkForce;
+  inherit (lib.strings) concatStringsSep;
+
+  cfg = config.olympus.services;
+in {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 7;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+      "100.64.0.0/10" # tailscale
+    ];
+
+    jails = mkMerge [
+      {
+        # sshd jail
+        sshd = mkForce ''
+          enabled = true
+          port = ${concatStringsSep "," (map toString config.services.openssh.ports)}
+          mode = aggressive
+        '';
+      }
+
+      (mkIf cfg.vaultwarden.enable {
+        # vaultwarden and vaultwarden admin interface jails
+        vaultwarden = ''
+          enabled = true
+          port = 80,443,8822
+          filter = vaultwarden
+          banaction = %(banaction_allports)s
+          logpath = /var/log/vaultwarden.log
+          maxretry = 3
+          bantime = 14400
+          findtime = 14400
+        '';
+
+        vaultwarden-admin = ''
+          enabled = true
+          port = 80,443
+          filter = vaultwarden-admin
+          banaction = %(banaction_allports)s
+          logpath = /var/log/vaultwarden.log
+          maxretry = 3
+          bantime = 14400
+          findtime = 14400
+        '';
+      })
+    ];
+
+    bantime-increment = {
+      enable = true;
+      rndtime = "12m";
+      overalljails = true;
+      multipliers = "4 8 16 32 64 128 256 512 1024 2048";
+      maxtime = "192h";
+    };
+  };
+}