diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index a72ba7967737..e6ae725f85ff 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -98,6 +98,15 @@ in
         '';
     };
 
+    networking.firewall.trustedInterfaces = mkOption {
+      type = types.list types.string;
+      description =
+        ''
+          Traffic coming in from these interfaces will be accepted
+          unconditionally.
+        '';
+    };
+
     networking.firewall.allowedTCPPorts = mkOption {
       default = [];
       example = [ 22 80 ];
@@ -155,6 +164,8 @@ in
   # holds).
   config = mkIf cfg.enable {
 
+    networking.firewall.trustedInterfaces = [ "lo" ];
+
     environment.systemPackages = [ pkgs.iptables ];
 
     boot.kernelModules = [ "nf_conntrack_ftp" ];
@@ -222,8 +233,10 @@ in
             # The "nixos-fw" chain does the actual work.
             ip46tables -N nixos-fw
 
-            # Accept all traffic on the loopback interface.
-            ip46tables -A nixos-fw -i lo -j nixos-fw-accept
+            # Accept all traffic on the trusted interfaces.
+            ${flip concatMapStrings cfg.trustedInterfaces (iface: ''
+              ip46tables -A nixos-fw -i ${iface} -j nixos-fw-accept
+            '')}
 
             # Accept packets from established or related connections.
             ip46tables -A nixos-fw -m conntrack --ctstate ESTABLISHED,RELATED -j nixos-fw-accept