diff --git a/applications/dns.nix b/applications/dns.nix
index c763b72..85a0cf5 100644
--- a/applications/dns.nix
+++ b/applications/dns.nix
@@ -67,6 +67,11 @@ in {
       group = "named";
     };
 
+    networking.firewall = {
+      allowedTCPPorts = [53];
+      allowedUDPPorts = [53];
+    };
+
     services.bind = {
         enable = true;
 
diff --git a/machines/_base.nix b/machines/_base.nix
index 268a681..449925a 100644
--- a/machines/_base.nix
+++ b/machines/_base.nix
@@ -26,6 +26,9 @@
 
 
   networking = {
+    # every sever needs to be accessable over ssh for admin use at least
+    firewall.allowedTCPPorts = [22];
+
     # explisitly stating this is good
     defaultGateway = "193.1.99.65";
 
diff --git a/machines/vendetta.nix b/machines/vendetta.nix
index a0f53f3..cb47619 100644
--- a/machines/vendetta.nix
+++ b/machines/vendetta.nix
@@ -50,11 +50,6 @@ in {
         ];
       };
     };
-
-    firewall = {
-      allowedTCPPorts = [22 53];
-      allowedUDPPorts = [53];
-    };
   };
 
   # open the firewall for this
diff --git a/machines/vigil.nix b/machines/vigil.nix
index 0e68887..667527b 100644
--- a/machines/vigil.nix
+++ b/machines/vigil.nix
@@ -34,13 +34,6 @@ in {
     tags = [ "active" "dns" ];
   };
 
-  networking = {
-    firewall = {
-      allowedTCPPorts = [22 53];
-      allowedUDPPorts = [53];
-    };
-  };
-
   # open the firewall for this
   skynet_firewall.forward = [
     "ip daddr ${ip_pub} tcp dport 53 counter packets 0 bytes 0 accept"