diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index b95b86e..604aa08 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -197,5 +197,11 @@
         prefixLength = 24;
       }
     ];
+    firewall = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+      logRefusedConnections = false;
+      checkReversePath = "loose"; # for tailscale
+    };
   };
 }