diff --git a/checks/two-peers.nix b/checks/two-peers.nix
index b16e5e0..18e1f1d 100644
--- a/checks/two-peers.nix
+++ b/checks/two-peers.nix
@@ -48,7 +48,6 @@ pkgs.nixosTest rec {
           prefixLength = 64;
         } ];
       };
-      networking.firewall.enable = false;
     };
     bar = {
       imports = [ ../modules ];
@@ -94,7 +93,6 @@ pkgs.nixosTest rec {
           prefixLength = 64;
         } ];
       };
-      networking.firewall.enable = false;
     };
   };
 
diff --git a/modules/default.nix b/modules/default.nix
index 48d5935..9e1eb0a 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -3,6 +3,10 @@ let
   cfg = config.networking.dn42;
 in
 {
+  imports = [
+    ./firewall.nix
+  ];
+
   options.networking.dn42 = {
     enable = lib.mkEnableOption "Whether to enable dn42 integration.";
 
diff --git a/modules/firewall.nix b/modules/firewall.nix
new file mode 100644
index 0000000..2edfcaf
--- /dev/null
+++ b/modules/firewall.nix
@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  enable = config.networking.dn42.enable && config.networking.firewall.enable;
+
+in
+{
+  # Allow BGP on peering interfaces
+  # TODO: these should actually only additionally filter for peer's
+  # addresses, but there is no NixOS option for that.
+  networking.firewall.interfaces = lib.mkIf enable (
+    builtins.listToAttrs (
+      map (interface: {
+        name = interface;
+        value.allowedTCPPorts = [
+          # BGP
+          179
+        ];
+      }) (
+        map ({ interface, ... }: interface) (
+          builtins.attrValues config.networking.dn42.peers
+        )
+      )
+    )
+  );
+}