diff --git a/config/host-config/clunk.nix b/config/host-config/clunk.nix
index 5cd326f..386622a 100644
--- a/config/host-config/clunk.nix
+++ b/config/host-config/clunk.nix
@@ -6,9 +6,7 @@ let
 
   dns-proxy-port = 5335;
 
-  host-packages = with pkgs; [
-    nixops
-  ];
+  host-packages = with pkgs; [ nixops ];
 
   site-name = config.fudo.hosts.${config.instance.hostname}.site;
   site = config.fudo.site.${site-name};
@@ -53,13 +51,9 @@ in {
     network-definition = config.fudo.networks."rus.selby.ca";
   };
 
-  networking = {
-    firewall = {
-      enable = true;
-      trustedInterfaces = [ "intif0" "docker0" ];
-      allowedTCPPorts = [ 22 ];
-    };
+  fudo.hosts.clunk.external-interfaces = [ "enp1s0" ];
 
+  networking = {
     interfaces = {
       enp1s0.useDHCP = true;
 
diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix
index 9c12b98..3c9eb6e 100644
--- a/config/host-config/limina.nix
+++ b/config/host-config/limina.nix
@@ -20,13 +20,9 @@ in {
       "openssh-with-gssapi-8.4p1" # CVE-2021-28041
     ];
 
-    networking = {
-      firewall = {
-        enable = true;
-        trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
-        allowedTCPPorts = [ 22 ];
-      };
+    fudo.hosts.limina.external-interfaces = [ "enp1s0" ];
 
+    networking = {
       interfaces = {
         enp1s0 = { useDHCP = true; };