diff --git a/options/custom/containers/coturn.nix b/options/custom/containers/coturn.nix
index 128287c..533c61e 100644
--- a/options/custom/containers/coturn.nix
+++ b/options/custom/containers/coturn.nix
@@ -46,5 +46,25 @@ in {
         };
       };
     };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        3478 # TURN
+        5349 # TURN
+      ];
+
+      allowedUDPPorts = [
+        3478 # TURN
+        5349 # TURN
+      ];
+
+      allowedUDPPortRanges = [
+        {
+          # TURN
+          from = 49152;
+          to = 65535;
+        }
+      ];
+    };
   };
 }
diff --git a/options/custom/containers/oryx.nix b/options/custom/containers/oryx.nix
index 1b793af..5e2af4e 100644
--- a/options/custom/containers/oryx.nix
+++ b/options/custom/containers/oryx.nix
@@ -38,5 +38,16 @@ in {
         volumes = ["${config.custom.containers.directory}/oryx/data:/data"];
       };
     };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        1935 # RTMP
+      ];
+
+      allowedUDPPorts = [
+        8000 # WebRTC
+        10080 # SRT
+      ];
+    };
   };
 }
diff --git a/options/custom/containers/owncast.nix b/options/custom/containers/owncast.nix
index 50ffbeb..eec64f1 100644
--- a/options/custom/containers/owncast.nix
+++ b/options/custom/containers/owncast.nix
@@ -25,5 +25,11 @@ in {
         ];
       };
     };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        1935 # RTMP
+      ];
+    };
   };
 }
diff --git a/options/custom/services/caddy.nix b/options/custom/services/caddy.nix
index 3cbc72a..9e8e8e5 100644
--- a/options/custom/services/caddy.nix
+++ b/options/custom/services/caddy.nix
@@ -54,29 +54,9 @@ in {
     # https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
     # https://element-hq.github.io/synapse/latest/turn-howto.html
     networking.firewall = {
-      enable = true;
-
       allowedTCPPorts = [
         80 # HTTP
         443 # HTTPS
-        1935 # RTMP
-        3478 # TURN
-        5349 # TURN
-      ];
-
-      allowedUDPPorts = [
-        3478 # TURN
-        5349 # TURN
-        8000 # WebRTC
-        10080 # SRT
-      ];
-
-      allowedUDPPortRanges = [
-        {
-          # TURN
-          from = 49152;
-          to = 65535;
-        }
       ];
     };
   };
diff --git a/options/custom/settings/networking.nix b/options/custom/settings/networking.nix
index a925c9a..2db18e1 100644
--- a/options/custom/settings/networking.nix
+++ b/options/custom/settings/networking.nix
@@ -9,6 +9,7 @@ in {
   options.custom.settings.networking = {
     enable = mkOption {default = false;};
     dns = mkOption {default = config.custom.default;};
+    firewall = mkOption {default = config.custom.default;};
     ipv4 = mkOption {default = null;};
     ipv6 = mkOption {default = null;};
     networkd = mkOption {default = !cfg.networkmanager;};
@@ -30,6 +31,7 @@ in {
     # https://wiki.nixos.org/wiki/Networking
     networking = {
       hostName = config.custom.hostname;
+      firewall.enable = cfg.firewall;
       useNetworkd = cfg.networkd;
       wireless.iwd.enable = cfg.wifi;