diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix
index 9c12b98..c691733 100644
--- a/config/host-config/limina.nix
+++ b/config/host-config/limina.nix
@@ -20,13 +20,9 @@ in {
       "openssh-with-gssapi-8.4p1" # CVE-2021-28041
     ];
 
-    networking = {
-      firewall = {
-        enable = true;
-        trustedInterfaces = [ "intif0" "intif1" "intif2" "lo" ];
-        allowedTCPPorts = [ 22 ];
-      };
+    
 
+    networking = {
       interfaces = {
         enp1s0 = { useDHCP = true; };
 
@@ -41,14 +37,25 @@ in {
         intif2 = { useDHCP = false; };
       };
 
+      # FIXME: this should be automatic
+      firewall.trustedInterfaces = [
+        "intif0"
+        "intif1"
+        "intif2"
+        "lo"
+        "docker0"
+      ];
+
       nat = {
         enable = true;
         externalInterface = "enp1s0";
-        internalInterfaces = [ "intif0" ];
+        internalInterfaces = [ "intif0" "intif1" "intif2" ];
       };
     };
 
     fudo = {
+      hosts.limina.external-interfaces = [ "enp1s0" ];
+      
       local-network = {
         enable = true;
         domain = domain-name;
diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix
index e95e398..cd771b7 100644
--- a/config/profile-config/common.nix
+++ b/config/profile-config/common.nix
@@ -56,7 +56,7 @@ in {
     };
 
     fail2ban = {
-      enable = true;
+      enable = config.networking.firewall.enable;
       bantime-increment.enable = true;
     };
 
diff --git a/lib/fudo/hosts/local-network.nix b/lib/fudo/hosts/local-network.nix
index f4d2c70..f2de116 100644
--- a/lib/fudo/hosts/local-network.nix
+++ b/lib/fudo/hosts/local-network.nix
@@ -6,6 +6,7 @@ with lib;
 let
   cfg = config.fudo.hosts.local-network;
 
+  # FIXME: this isn't used, is it?
   gatewayServerOpts = { ... }: {
     options = {
       enable = mkEnableOption "Turn this host into a network gateway.";