diff --git a/default.nix b/default.nix
index 47b9675..f2bd688 100644
--- a/default.nix
+++ b/default.nix
@@ -254,8 +254,29 @@ in
       };
     };
 
-    # Firewall configuration
-    # networking.firewall.allowedTCPPorts = [ 80 443 ];
+    # Firewall configuration - open ports for USDA Vision services
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        # Web services
+        80        # HTTP
+        443       # HTTPS
+        3000      # Main web app (if exposed directly)
+        
+        # Supabase services
+        54321     # Supabase Kong (API Gateway)
+        54322     # Supabase PostgreSQL
+        54323     # Supabase Studio
+        54324     # Supabase Inbucket (email testing)
+        54327     # Supabase Analytics
+        
+        # USDA Vision services
+        8090      # Media API
+        8189      # MediaMTX API
+        8554      # RTSP (MediaMTX)
+        8889      # MediaMTX WebRTC
+      ];
+    };
 
     # Any other usda-dash specific configuration
   };