diff --git a/services/caddy.nix b/services/caddy.nix
index a2f0726..3a0c622 100644
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -32,16 +32,10 @@
 
     # http (but really acmeCA challenges)
     80
-
-    # for matrix federation
-    8448
   ];
 
   networking.firewall.allowedUDPPorts = [
     service_configs.ports.https
-
-    # for matrix federation
-    8448
   ];
 
   users.users.${username}.extraGroups = [
diff --git a/services/matrix.nix b/services/matrix.nix
index fe6733a..88d1e56 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -52,4 +52,14 @@
   systemd.tmpfiles.rules = [
     "d /var/lib/private/matrix-conduit 0770 conduit conduit"
   ];
+
+  # for federation
+  networking.firewall.allowedTCPPorts = [
+    8448
+  ];
+
+  # for federation
+  networking.firewall.allowedUDPPorts = [
+    8448
+  ];
 }