diff --git a/modules/bacula.nix b/modules/bacula.nix
index d28e3a8..59815a4 100644
--- a/modules/bacula.nix
+++ b/modules/bacula.nix
@@ -5,7 +5,11 @@
     "bacula/keypair".owner = "bacula";
     "bacula/masterkey".owner = "bacula";
   };
-  networking.firewall.allowedTCPPorts = [ config.services.bacula-fd.port ];
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr 10.144.0.11 tcp dport ${config.services.bacula-fd.port} accept comment "Only allow Bacula access from Abel"
+    '';
+  };
   services.bacula-fd = {
     enable = true;
     name = "ifsr-quitte";