diff --git a/lib/functions.sh b/lib/functions.sh
index 757ec79..feb6afb 100644
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -100,19 +100,27 @@ function disable_all_signals {
 function prepare_nftables() {
     local PREFIX="miaou:nftables"
 
-    if ! diff -q "$MIAOU_BASEDIR/templates/hardened/nftables.conf" /etc/nftables.conf 2>/dev/null; then
+    if ! [[ -f /etc/nftables.rules.d/firewall.table ]]; then
         echo "installing nftables ..."
         sudo apt install -y nftables
         sudo cp -f "$MIAOU_BASEDIR/templates/hardened/nftables.conf" /etc/
         sudo mkdir -p /etc/nftables.rules.d
-        sudo cp -f "$MIAOU_BASEDIR/templates/hardened/firewall.table" /etc/nftables.rules.d/
-        sudo systemctl restart nftables
         sudo systemctl enable nftables
-        echo "OK"
+
     else
         echo "nftables already installed!"
     fi
 
+    current_target="${TARGET:-not_defined_yet}"
+    if [[ $current_target == not_defined_yet ]]; then
+        echo -n "generating new firewall table first time... "
+    else
+        echo -n "generating new firewall table according to target=<${current_target}>... "
+    fi
+    sudo env target="$current_target" tera -e --env-only --env-key env -t "$MIAOU_BASEDIR/templates/nftables/firewall.table.j2" -o /etc/nftables.rules.d/firewall.table &>/dev/null
+    sudo systemctl reload nftables
+    echo "OK"
+
 }
 
 function miaou_init() {
diff --git a/templates/hardened/firewall.table b/templates/nftables/firewall.table.j2
similarity index 51%
rename from templates/hardened/firewall.table
rename to templates/nftables/firewall.table.j2
index b48bdae..cc3cfdb 100644
--- a/templates/hardened/firewall.table
+++ b/templates/nftables/firewall.table.j2
@@ -13,11 +13,20 @@ table inet firewall {
         # icmp
         icmp type echo-request accept
 
+        # allow SSH + GITEA + NGINX
+        tcp dport {22, 2222, 80, 443} accept
+        
+        {%- if env.target == 'dev' %}
+        
         # allow mDNS
         udp dport mdns accept
 
-        # allow SSH + GITEA + NGINX
-        tcp dport {22, 2222, 80, 443} accept
+        # allow SAMBA
+        udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)"
+        udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)"
+        tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)"
+        tcp dport microsoft-ds accept comment "Accept Microsoft Directory Service (smbd)"       
+        {%- endif %}
     }
 
 }