diff --git a/configuration.nix b/configuration.nix
index 2f2686d..043d778 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -31,8 +31,7 @@
   networking.hostName = "nixos";
   networking.networkmanager.enable = true;
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 8448 3051 ];
-  networking.firewall.allowedUDPPorts = [ 8448 3051 5353 ];
+  networking.firewall.allowedUDPPorts = [ 5353 ];
 
   # ── Avahi (mDNS) ───────────────────────────────────────────
   services.avahi = {
diff --git a/modules/bitcoinecosystem.nix b/modules/bitcoinecosystem.nix
index 76f4166..ac8b8b5 100755
--- a/modules/bitcoinecosystem.nix
+++ b/modules/bitcoinecosystem.nix
@@ -99,6 +99,9 @@ lib.mkIf config.sovran_systemsOS.services.bitcoin {
     '';
   };
 
+  networking.firewall.allowedTCPPorts = [ 3051 ];
+  networking.firewall.allowedUDPPorts = [ 3051 ];
+
    sovran_systemsOS.domainRequirements = [
     { name = "btcpayserver"; label = "BTCPay Server"; example = "pay.yourdomain.com"; }
   ];
diff --git a/modules/core/sovran-hub.nix b/modules/core/sovran-hub.nix
index 908eddc..acb2cd5 100644
--- a/modules/core/sovran-hub.nix
+++ b/modules/core/sovran-hub.nix
@@ -375,7 +375,7 @@ in
 
     environment.systemPackages = [ sovran-hub-web ];
 
-    networking.firewall.allowedTCPPorts = [ 3051 8937 60847 ];
+    networking.firewall.allowedTCPPorts = [ 8937 60847 ];
 
     # ── Auto-launch Hub in browser on login ───────────────────────
     environment.etc."xdg/autostart/sovran-hub-autolaunch.desktop".text = ''
diff --git a/modules/synapse.nix b/modules/synapse.nix
index 2950d78..a2e914e 100755
--- a/modules/synapse.nix
+++ b/modules/synapse.nix
@@ -251,6 +251,9 @@ CREDS
     '';
   };
 
+  networking.firewall.allowedTCPPorts = [ 8448 ];
+  networking.firewall.allowedUDPPorts = [ 8448 ];
+
   sovran_systemsOS.domainRequirements = [
     { name = "matrix"; label = "Matrix Synapse"; example = "matrix.yourdomain.com"; }
   ];