diff --git a/m/bay/configuration.nix b/m/bay/configuration.nix
index 70b7165..ac34f69 100644
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -23,6 +23,16 @@
       address = "10.0.42.40";
       prefixLength = 24;
     } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from lake2
+        iptables -A nixos-fw -p tcp -s lake2 -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
+        # Accept all Ceph traffic from the local network
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+      '';
+    };
   };
 
   services.ceph = {
diff --git a/m/lake2/configuration.nix b/m/lake2/configuration.nix
index aacf5b9..934f6f7 100644
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -45,6 +45,14 @@
       address = "10.0.42.42";
       prefixLength = 24;
     } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from bay
+        iptables -A nixos-fw -p tcp -s bay -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
+      '';
+    };
   };
 
   # Missing service for volumes, see: