diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index 30d3b5d..9a77372 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -10,8 +10,8 @@
     # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
     boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;
 
-    # Open DNS port for LAN clients querying CoreDNS.
-    networking.firewall.allowedTCPPorts = [ 53 ];
+    # Open ports: DNS (53), mc-proxy (443, 8443, 9443), exod (8080, 9090).
+    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
   };
 }