{
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 22 80 443 21 25 465 587 143 993 995 110 22000 ];
    allowedUDPPorts = [ 22 80 443 25 465 587 143 993 995 110 22000 ];
    allowedTCPPortRanges = [
      # vsftpd passive
      {
        from = 51000;
        to = 51999;
      }
    ];
  };
}