diff --git a/data.nix b/data.nix
index b1a7c74..aee2122 100644
--- a/data.nix
+++ b/data.nix
@@ -86,6 +86,19 @@ rec {
     };
   };
 
+  # copied from nixpkgs/lib/attrsets.nix
+  attrVals = nameList: set: map (x: set.${x}) nameList;
+
+  motiejus_ips = let
+    mHosts =
+      attrVals [
+        "mxp10.motiejus.jakst"
+        "fwmine.motiejus.jakst"
+      ]
+      hosts;
+  in
+    builtins.catAttrs "jakstIP" mHosts;
+
   tailscale_subnet = {
     cidr = "100.89.176.0/20";
     range = "100.89.176.0-100.89.191.255";
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index c5b088f..14dc5cf 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -143,12 +143,17 @@
     };
 
     services = {
-      friendlyport.vpn.ports = [
-        80
-        443
-        myData.ports.grafana
-        myData.ports.prometheus
-        myData.ports.soju
+      friendlyport.ports = [
+        {
+          subnets = [myData.tailscale_subnet.cidr];
+          tcp = [
+            80
+            443
+            myData.ports.grafana
+            myData.ports.prometheus
+            myData.ports.soju
+          ];
+        }
       ];
 
       node_exporter.enable = true;
diff --git a/modules/base/default.nix b/modules/base/default.nix
index 6841246..1594c6f 100644
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  myData,
   ...
 }: {
   imports = [
@@ -33,7 +34,12 @@
   config = {
     time.timeZone = config.mj.timeZone;
 
-    mj.services.friendlyport.vpn.ports = [config.services.iperf3.port];
+    mj.services.friendlyport.ports = [
+      {
+        subnets = [myData.tailscale_subnet.cidr];
+        tcp = [config.services.iperf3.port];
+      }
+    ];
 
     i18n = {
       defaultLocale = "en_US.UTF-8";
diff --git a/modules/services/friendlyport/default.nix b/modules/services/friendlyport/default.nix
index ee33b10..5803671 100644
--- a/modules/services/friendlyport/default.nix
+++ b/modules/services/friendlyport/default.nix
@@ -4,47 +4,57 @@
   myData,
   ...
 }: {
-  options.mj.services.friendlyport.motiejus = with lib.types; {
+  options.mj.services.friendlyport = with lib.types; {
     ports = lib.mkOption {
-      type = listOf int;
-      default = [];
-    };
-  };
-  options.mj.services.friendlyport.vpn = with lib.types; {
-    ports = lib.mkOption {
-      type = listOf int;
-      default = [];
+      type = listOf (submodule (
+        {...}: {
+          options = {
+            subnets = lib.mkOption {type = listOf str;};
+            tcp = lib.mkOption {
+              type = listOf int;
+              default = [];
+            };
+            udp = lib.mkOption {
+              type = listOf int;
+              default = [];
+            };
+          };
+        }
+      ));
     };
   };
 
   config = let
-    portsM = config.mj.services.friendlyport.motiejus.ports;
-    portsV = config.mj.services.friendlyport.vpn.ports;
-    portsMStr = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.motiejus.ports);
-    portsVStr = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.vpn.ports);
-    hosts = lib.attrVals ["mxp10.motiejus.jakst" "fwmine.motiejus.jakst"] myData.hosts;
-    ips = lib.catAttrs "jakstIP" hosts;
-    startLinesM =
-      if builtins.length portsM > 0
-      then map (ip: "iptables -A INPUT -p tcp --match multiport --dports ${portsMStr} --source ${ip} -j ACCEPT") ips
-      else [];
-    startLinesV =
-      if builtins.length portsV > 0
-      then "iptables -A INPUT -p tcp --match multiport --dports ${portsVStr} --source ${myData.tailscale_subnet.cidr} -j ACCEPT"
-      else "";
+    ports = config.mj.services.friendlyport.ports;
+    mkAdd = (
+      proto: subnets: ints: let
+        subnetsS = builtins.concatStringsSep "," subnets;
+        intsS = builtins.concatStringsSep "," (map builtins.toString ints);
+      in
+        if builtins.length ints == 0
+        then ""
+        else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
+    );
+
+    startTCP = map(attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
+    startUDP = map(attr: mkAdd "udp" attr.subnets attr.udp) ports;
 
     # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
     # How to stop the old one and start the new one?
-    stopLinesM =
-      if builtins.length portsM > 0
-      then map (ip: "iptables -D INPUT -p tcp --match multiport --dports ${portsMStr} --source ${ip} -j ACCEPT || :") ips
-      else [];
-    stopLinesV =
-      if builtins.length portsV > 0
-      then "iptables -D INPUT -p tcp --match multiport --dports ${portsVStr} --source ${myData.tailscale_subnet.cidr} -j ACCEPT || :"
-      else "";
+    mkDel = (
+      proto: subnets: ints: let
+        subnetsS = builtins.concatStringsSep "," subnets;
+        intsS = builtins.concatStringsSep "," (map builtins.toString ints);
+      in
+        if builtins.length ints == 0
+        then ""
+        else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
+    );
+
+    stopTCP = map(attr: mkDel "tcp" attr.subnets attr.tcp) ports;
+    stopUDP = map(attr: mkDel "udp" attr.subnets attr.udp) ports;
   in {
-    networking.firewall.extraCommands = lib.concatLines (startLinesM ++ [startLinesV]);
-    networking.firewall.extraStopCommands = lib.concatLines (stopLinesM ++ [stopLinesV]);
+    networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP);
+    networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP);
   };
 }
diff --git a/modules/services/node_exporter/default.nix b/modules/services/node_exporter/default.nix
index c43e7c5..bf2f482 100644
--- a/modules/services/node_exporter/default.nix
+++ b/modules/services/node_exporter/default.nix
@@ -27,8 +27,11 @@
       gid = myData.uidgid.node_exporter;
     };
 
-    mj.services.friendlyport.vpn.ports = [
-      myData.ports.exporters.node
+    mj.services.friendlyport.ports = [
+      {
+        subnets = [myData.tailscale_subnet.cidr];
+        tcp = [myData.ports.exporters.node];
+      }
     ];
   };
 }
diff --git a/modules/services/snmp_exporter/default.nix b/modules/services/snmp_exporter/default.nix
index dcfdd8a..94de1cd 100644
--- a/modules/services/snmp_exporter/default.nix
+++ b/modules/services/snmp_exporter/default.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  myData,
   ...
 }: {
   options.mj.services.snmp_exporter = with lib.types; {
@@ -9,7 +10,12 @@
   };
 
   config = lib.mkIf config.mj.services.snmp_exporter.enable {
-    mj.services.friendlyport.vpn.ports = [config.services.prometheus.exporters.snmp.port];
+    mj.services.friendlyport.ports = [
+      {
+        subnets = [myData.tailscale_subnet.cidr];
+        tcp = [config.services.prometheus.exporters.snmp.port];
+      }
+    ];
 
     services.prometheus.exporters.snmp = {
       enable = true;
diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix
index b0f13cd..40c96e5 100644
--- a/modules/services/syncthing/default.nix
+++ b/modules/services/syncthing/default.nix
@@ -14,7 +14,12 @@ in {
   };
 
   config = lib.mkIf config.mj.services.syncthing.enable {
-    mj.services.friendlyport.motiejus.ports = [8384];
+    mj.services.friendlyport.ports = [
+      {
+        subnets = myData.motiejus_ips;
+        tcp = [8384];
+      }
+    ];
 
     services.syncthing = {
       enable = config.mj.services.syncthing.enable;