diff --git a/hosts/bifrost/network/default.nix b/hosts/bifrost/network/default.nix
index c192749..f29897e 100644
--- a/hosts/bifrost/network/default.nix
+++ b/hosts/bifrost/network/default.nix
@@ -1,5 +1,5 @@
 { lib, ... }: {
-  imports = [ ./wireguard.nix ];
+  imports = [ ./firewall.nix ./wireguard.nix ];
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 
@@ -44,7 +44,6 @@
     ];
     useDHCP = lib.mkDefault false;
     useNetworkd = true;
-    nftables.enable = true;
   };
 
 }
diff --git a/hosts/bifrost/network/firewall.nix b/hosts/bifrost/network/firewall.nix
new file mode 100644
index 0000000..fff12a0
--- /dev/null
+++ b/hosts/bifrost/network/firewall.nix
@@ -0,0 +1,20 @@
+_: {
+  networking = {
+    firewall.allowedTCPPorts = [ 42069 ];
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table ip nat {
+          chain PREROUTING {
+            type nat hook prerouting priority -100 ;
+            iifname ens3 tcp dport 42069 dnat to 10.10.10.13
+          }
+          chain POSTROUTING {
+            type nat hook postrouting priority 100 ;
+            ip daddr 10.10.10.13 masquerade
+          };
+        }
+      '';
+    };
+  };
+}
diff --git a/hosts/bifrost/services/apps/forgejo.nix b/hosts/bifrost/services/apps/forgejo.nix
index 6bb75f9..1f1383c 100644
--- a/hosts/bifrost/services/apps/forgejo.nix
+++ b/hosts/bifrost/services/apps/forgejo.nix
@@ -1,8 +1,5 @@
 _:
-let
-  domainName = "forge.acomputer.lol";
-in
-{
+let domainName = "forge.acomputer.lol"; in {
   services = {
     caddy.virtualHosts."${domainName}" = {
       extraConfig = ''