diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix
index 08b0312..c76740b 100644
--- a/config/hosts/woodpecker/woodpecker-agent/podman.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/podman.nix
@@ -10,4 +10,11 @@
     enable = true;
     defaultNetwork.settings.dns_enabled = true;
   };
+
+  networking.firewall.interfaces."podman0" = {
+    # allowedUDPPorts = [ 53 ] gets already set by virtualisation.podman.defaultNetwork.settings.dns_enabled, but set it here explicitly anyway.
+    allowedUDPPorts = [ 53 ];
+    # For git.hamburg.ccc.de to resolve in the clone step for example, allowedTCPPorts also needs to be set to allow DNS.
+    allowedTCPPorts = [ 53 ];
+  };
 }