diff --git a/.github/workflows/deploy-firewall.yml b/.github/workflows/deploy-firewall.yml
new file mode 100644
index 0000000..9925d31
--- /dev/null
+++ b/.github/workflows/deploy-firewall.yml
@@ -0,0 +1,22 @@
+name: deploy firewall
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+jobs:
+  deploy-firewall:
+    runs-on: self-hosted
+    steps:
+    - name: Check out the pull request or main branch
+      uses: actions/checkout@v4
+      with:
+        # For pull requests, use the source branch; otherwise, use the current branch
+        ref: ${{ github.event.pull_request.head.ref || github.ref_name }}
+        fetch-depth: 0 # Fetch all history to ensure complete build context
+    - run: |
+        sudo cp server.nft /etc/nft-conf/
+        sudo nft -f /etc/nftables.conf
+        sudo service docker restart
+      
+      
diff --git a/server.nft b/server.nft
index 90074c5..5940fd0 100644
--- a/server.nft
+++ b/server.nft
@@ -20,6 +20,8 @@ table inet filter {
     icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept comment "Accept ICMP"
     ip protocol igmp accept comment "Accept IGMP"
     meta l4proto vmap @input_vmap
+    tcp dport {21115-21119} accept
+    udp dport 21116 accept
   }
 
   chain forward {
@@ -41,6 +43,8 @@ table inet filter {
     tcp sport 2049 accept
     udp sport 2049 accept
     tcp sport @web counter packets 0 bytes 0 accept comment "Accept web server"
+    tcp sport {21115-21119} accept
+    udp sport 21116 accept
   }
 
   chain TCP {