diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix
index 1904449..c714c77 100644
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -314,9 +314,9 @@
   
   # Firewall - default deny, explicit allow
   networking.firewall = {
+    # Enable firewall with default deny policy (NixOS firewall denies all by default)
     enable = true;
     allowPing = true;
-    defaultAllow = false;
     
     # Only essential ports exposed to internet
     allowedTCPPorts = [