diff --git a/hosts/services/firewall-services.nix b/hosts/services/firewall-services.nix
new file mode 100644
index 0000000..9adbf18
--- /dev/null
+++ b/hosts/services/firewall-services.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking.firewall = {
+    allowPing = true;
+    # allowed TCP range
+    allowedTCPPorts = [ 22 80 2342 9001 9002];
+  };
+  services.fail2ban = {
+    enable = true;
+    maxretry = 2;
+    ignoreIP = [
+      "127.0.0.0/8" 
+      "212.114.16.52"
+    ];
+  };
+}