diff --git a/machines/ash.nix b/machines/ash.nix
index db0923b..5c0b2cb 100644
--- a/machines/ash.nix
+++ b/machines/ash.nix
@@ -35,7 +35,7 @@ in {
   # these two are to be able to add the rules for firewall and dns
   # open the firewall for this
   skynet_firewall.forward = [
-    "ip saddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
   ];
 
   skynet_dns.records = {
diff --git a/machines/galatea.nix b/machines/galatea.nix
index 5def808..fc7ed21 100644
--- a/machines/galatea.nix
+++ b/machines/galatea.nix
@@ -37,9 +37,9 @@ in {
   # these two are to be able to add the rules for firewall and dns
   # open the firewall for this
   skynet_firewall.forward = [
-    "ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
-    "ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
-    "ip saddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 8000 counter packets 0 bytes 0 accept"
   ];
 
   skynet_dns.records = {
diff --git a/machines/optimus.nix b/machines/optimus.nix
index 7c96bc1..c440269 100644
--- a/machines/optimus.nix
+++ b/machines/optimus.nix
@@ -36,9 +36,9 @@ in {
   # these two are to be able to add the rules for firewall and dns
   # open the firewall for this
   skynet_firewall.forward = [
-    "ip saddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
-    "ip saddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
-    "ip saddr ${ip_pub} tcp dport 25565 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 80 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 443 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 25565 counter packets 0 bytes 0 accept"
   ];
 
   skynet_dns.records = {
diff --git a/machines/vendetta.nix b/machines/vendetta.nix
index 7d5b5ec..d5bcd64 100644
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@@ -43,8 +43,8 @@ in {
 
   # open the firewall for this
   skynet_firewall.forward = [
-    "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
-    "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
   ];
 
   skynet_dns = {
diff --git a/machines/vigil.nix b/machines/vigil.nix
index 2119756..cd76422 100644
--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@@ -42,8 +42,8 @@ in {
 
   # open the firewall for this
   skynet_firewall.forward = [
-    "ip saddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
-    "ip saddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"
+    "ip daddr ${ip_pub} udp dport 53 counter packets 0 bytes 0 accept"
   ];
 
   skynet_dns = {