diff --git a/app/sovran_systemsos_web/server.py b/app/sovran_systemsos_web/server.py
index 67c71ff..0721387 100644
--- a/app/sovran_systemsos_web/server.py
+++ b/app/sovran_systemsos_web/server.py
@@ -685,7 +685,10 @@ def _check_port_status(
         for pt in ports_set
     )
 
-    if is_listening and is_allowed:
+    # A process bound to the port is the authoritative signal; firewall
+    # detection (nft/iptables) is only used as a secondary hint when nothing
+    # is listening yet.
+    if is_listening:
         return "listening"
     if is_allowed:
         return "firewall_open"
diff --git a/configuration.nix b/configuration.nix
index bea699b..ea87f26 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -97,6 +97,7 @@
   nixpkgs.config.permittedInsecurePackages = [ "jitsi-meet-1.0.8043" ];
 
   environment.systemPackages = with pkgs; [
+    nftables
     git wget fish htop btop
     gnomeExtensions.transparent-top-bar-adjustable-transparency
     gnomeExtensions.dash-to-dock