diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix
index a8dcbb4..2312373 100644
--- a/nixos/modules/common.nix
+++ b/nixos/modules/common.nix
@@ -122,7 +122,7 @@ in
         };
 
         openssh = {
-          enable = true;
+          enable = mkDefault true;
         };
       };
 
diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix
index 980bedb..d6bdca0 100644
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@@ -10,7 +10,7 @@ in
     enable = mkBoolOpt' true "Whether to enable the nftables-based firewall.";
     trustedInterfaces = options.networking.firewall.trustedInterfaces;
     tcp = {
-      allowed = mkOpt' (listOf (either port str)) [ "ssh" ] "TCP ports to open.";
+      allowed = mkOpt' (listOf (either port str)) [ ] "TCP ports to open.";
     };
     udp = {
       allowed = mkOpt' (listOf (either port str)) [ ] "UDP ports to open.";
@@ -32,14 +32,16 @@ in
           ruleset =
             let
               trusted' = "{ ${concatStringsSep ", " cfg.trustedInterfaces} }";
+              openTCP = cfg.tcp.allowed ++ config.networking.firewall.allowedTCPPorts;
+              openUDP = cfg.udp.allowed ++ config.networking.firewall.allowedUDPPorts;
             in
             ''
               table inet filter {
                 chain wan-tcp {
-                  ${concatMapStringsSep "\n    " (p: "tcp dport ${toString p} accept") cfg.tcp.allowed}
+                  ${concatMapStringsSep "\n    " (p: "tcp dport ${toString p} accept") openTCP}
                 }
                 chain wan-udp {
-                  ${concatMapStringsSep "\n    " (p: "udp dport ${toString p} accept") cfg.udp.allowed}
+                  ${concatMapStringsSep "\n    " (p: "udp dport ${toString p} accept") openUDP}
                 }
 
                 chain wan {