diff --git a/modules/nixos/networking/firewall/default.nix b/modules/nixos/networking/firewall/default.nix
index 355c802..bd89628 100644
--- a/modules/nixos/networking/firewall/default.nix
+++ b/modules/nixos/networking/firewall/default.nix
@@ -1,5 +1,30 @@
 {
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
   imports = [
     ./fail2ban.nix
   ];
+
+  config = {
+    networking.firewall = {
+      enable = true;
+      package = pkgs.iptables;
+
+      allowedTCPPorts = [
+        443
+        80
+      ];
+      allowedUDPPorts = [];
+
+      # make a much smaller and easier to read log
+      logReversePathDrops = true;
+      logRefusedConnections = false;
+
+      checkReversePath = mkForce false;
+    };
+  };
 }
diff --git a/modules/nixos/networking/ssh.nix b/modules/nixos/networking/ssh.nix
index 918994f..40843ef 100644
--- a/modules/nixos/networking/ssh.nix
+++ b/modules/nixos/networking/ssh.nix
@@ -1,7 +1,6 @@
 {...}: {
   services.openssh = {
     enable = true;
-    startWhenNeeded = true;
     settings = {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
diff --git a/systems/theia/networking.nix b/systems/theia/networking.nix
index 4daf9c2..fcdf4b4 100644
--- a/systems/theia/networking.nix
+++ b/systems/theia/networking.nix
@@ -5,8 +5,6 @@ in {
     enableIPv6 = true;
     firewall = {
       allowedTCPPorts = [
-        80 # HTTP
-        443 # HTTPS
         25565 # minecraft
         25566 # minecraft
         25567 # minecraft