diff --git a/hosts/pbx/networking.nix b/hosts/pbx/networking.nix
index e46f25f..8fef211 100644
--- a/hosts/pbx/networking.nix
+++ b/hosts/pbx/networking.nix
@@ -11,9 +11,18 @@
     # Fix Intel NIC e1000e hardware unit hang
     localCommands = lib.mkBefore "${pkgs.ethtool}/bin/ethtool -K enp0s25 tso off gso off";
 
-    firewall.interfaces = {
-      weinturm.allowedUDPPorts = [53 67];
-      public-event.allowedUDPPorts = [53 67];
+    firewall = {
+      interfaces = {
+        weinturm.allowedUDPPorts = [53 67];
+        public-event.allowedUDPPorts = [53 67];
+      };
+      filterForward = true;
+      extraForwardRules = ''
+        oifname { "jugendtreff", "public-ip4" } meta l4proto tcp tcp dport 25 drop comment "Block outgoing SMTP (TCP/25)"
+        oifname { "jugendtreff", "public-ip4" } meta l4proto tcp tcp dport { 135, 137, 138, 139, 445 } drop comment "Block MS RPC/NetBIOS/SMB (TCP)"
+        oifname { "jugendtreff", "public-ip4" } meta l4proto udp udp dport { 135, 137, 138, 139, 445 } drop comment "Block MS RPC/NetBIOS/SMB (UDP)"
+        oifname { "jugendtreff", "public-ip4" } meta l4proto udp udp dport 1900 drop comment "Block SSDP (UPnP, UDP/1900)"
+      '';
     };
 
     vlans = {