diff --git a/zet.home.arpa/nginx/README.md b/zet.home.arpa/nginx/README.md
index 0e612b4..40bf44a 100644
--- a/zet.home.arpa/nginx/README.md
+++ b/zet.home.arpa/nginx/README.md
@@ -63,6 +63,17 @@ sudo systemctl restart nginx     # full restart
 sudo nginx -t                    # test config syntax before applying
 ```
 
+## UFW Firewall Rules
+
+Ports 80 and 443 must be open in UFW on zet for LAN clients to reach nginx directly (split DNS bypasses pfSense NAT):
+
+```bash
+sudo ufw allow 80/tcp comment 'nginx HTTP'
+sudo ufw allow 443/tcp comment 'nginx HTTPS'
+```
+
+Current UFW status also allows: Samba, NFS (LAN only), SSH (22), Squid (3128), Gitea (3000).
+
 ## pfSense NAT Rules
 
 | WAN Port | Redirect to | Port | Description |