diff --git a/config/default.nix b/config/default.nix
index 11f8c449..a97ab685 100644
--- a/config/default.nix
+++ b/config/default.nix
@@ -85,6 +85,12 @@
     ];
   };
 
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
+    # proxy protocol used by public-access-proxy
+    8080
+    8443
+  ];
+
   nix = {
     deleteChannels = true;
     deleteUserProfiles = true;
diff --git a/modules/stats.nix b/modules/stats.nix
index 374245a2..234c2abb 100644
--- a/modules/stats.nix
+++ b/modules/stats.nix
@@ -14,6 +14,8 @@ in
   };
 
   config = {
+    networking.firewall.allowedTCPPorts = [ 9100 ];
+
     services = lib.mkMerge [
       (let
         nginxStatusPort = 9100;