diff --git a/configuration.nix b/configuration.nix
index 9247800..a2fe2e4 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -83,12 +83,13 @@
     python3
   ];
 
-  # TODO: firewalling
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  networking.firewall.enable = false;
+
+  networking.nftables = {
+    enable = true;
+    checkRuleset = true;
+    ruleset = builtins.readFile ./nftables.conf;
+  };
 
   system.stateVersion = "23.05";
 
diff --git a/nftables.conf b/nftables.conf
new file mode 100644
index 0000000..56490a4
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,26 @@
+table inet nixos-fw {
+	chain rpfilter {
+		type filter hook prerouting priority mangle + 10; policy drop;
+		meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
+		fib saddr . mark . iif oif exists accept
+	}
+
+	chain input {
+		type filter hook input priority filter; policy drop;
+		iifname "lo" accept comment "trusted interfaces"
+		ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
+		tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
+	}
+
+	chain input-allow {
+		tcp dport 22 accept
+		icmp type echo-request accept comment "allow ping"
+		icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139).  See RFC 4890, section 4.4."
+		ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"
+	}
+
+	chain forward-allow {
+		type filter hook forward priority filter; policy drop;
+		ip daddr 192.168.30.0/24 accept
+	}
+}