diff --git a/clanServices/firewall/default.nix b/clanServices/firewall/default.nix
new file mode 100644
index 000000000..dd4864a0b
--- /dev/null
+++ b/clanServices/firewall/default.nix
@@ -0,0 +1,34 @@
+{ clanLib, inventory, ... }:
+{
+  manifest.name = "clan-core/firewall";
+  manifest.description = "Configures firewall rules based on exported endpoints from other services";
+
+  roles.default.description = "Configures firewall rules based on exported endpoints from other services";
+
+  perMachine =
+    # firewall instances
+    {
+      exports,
+      machine,
+      lib,
+      ...
+    }:
+    let
+      instances = clanLib.resolveInstances machine inventory;
+
+      instancesTcpPorts = builtins.concatLists (
+        map (
+          instanceName:
+          lib.mapAttrsToList (_endpointName: cfg: cfg.port) exports.instances.${instanceName}.endpoints
+        ) instances
+      );
+      machineTcpPorts = lib.mapAttrsToList (
+        _endpointName: cfg: cfg.port
+      ) exports.instances.${machine.name}.endpoints;
+
+      allowedPorts = instancesTcpPorts ++ machineTcpPorts;
+    in
+    {
+      nixosModule.networking.firewall.allowedTCPPorts = allowedPorts;
+    };
+}
diff --git a/clanServices/hello-world/default.nix b/clanServices/hello-world/default.nix
index 5c682cb13..46558cb9b 100644
--- a/clanServices/hello-world/default.nix
+++ b/clanServices/hello-world/default.nix
@@ -45,6 +45,12 @@
         ...
       }:
       {
+        exports.endpoints.greeting = {
+          port = 80;
+        };
+        exports.endpoints.uptime = {
+          port = 80;
+        };
         # Analog to 'perSystem' of flake-parts.
         # For every instance of this service we will add a nixosModule to a morning-machine
         nixosModule =
@@ -89,6 +95,9 @@
   perMachine =
     { machine, ... }:
     {
+      exports.endpoints.core-online = {
+        port = 8080;
+      };
       nixosModule =
         { pkgs, ... }:
         {
diff --git a/flakeModules/clan.nix b/flakeModules/clan.nix
index 76eb2177b..971b0282e 100644
--- a/flakeModules/clan.nix
+++ b/flakeModules/clan.nix
@@ -53,6 +53,18 @@ in
                   ---
                 '';
               };
+              # TODO: Pinpox
+              checks.conflictingPorts =
+                let
+                  conflicts = [ ];
+                in
+                {
+                  assertion = builtins.length conflicts == 0;
+                  message = ''
+                    The following endpoints have conflicting port assignments:
+                    ---
+                  '';
+                };
             }
           ];
         };
diff --git a/lib/modules/clan/interface.nix b/lib/modules/clan/interface.nix
index 8b001bed3..ad4a4e2f3 100644
--- a/lib/modules/clan/interface.nix
+++ b/lib/modules/clan/interface.nix
@@ -120,6 +120,30 @@ in
       visible = false;
       type = types.deferredModule;
       default = {
+        options.endpoints = lib.mkOption {
+          type = types.attrsWith {
+            placeholder = "endpointName";
+            elemType = (
+              types.submodule {
+                options = {
+                  port = lib.mkOption {
+                    type = types.int;
+                    description = "The port the service is running on";
+                  };
+                  protocol = lib.mkOption {
+                    type = types.enum [
+                      "tcp"
+                      "udp"
+                    ];
+                    default = "tcp";
+                    description = "The protocol used to access the service";
+                  };
+                };
+              }
+            );
+          };
+          default = { };
+        };
         options.networking = lib.mkOption {
           default = null;
           type = lib.types.nullOr (