diff --git a/group_vars/infra/firewall.yml b/group_vars/infra/firewall.yml
index 333b1cd..3ffe59d 100644
--- a/group_vars/infra/firewall.yml
+++ b/group_vars/infra/firewall.yml
@@ -135,6 +135,10 @@ firewall__zones:
     addrs:
       - 2a09:6840:206::1:7
       - 10.206.1.7
+  tor.pub:
+    addrs:
+      - 45.66.111.215
+      - 2a09:6840:215::1:215
 
 firewall__input:
   - iif:
@@ -297,7 +301,9 @@ firewall__forward:
         dport: 53
     verdict: accept
   # Allow NTP from infra to ntp-{1,2} 
-  - src: infra
+  - src: 
+      - infra
+      - pub
     dst: ntp.int
     protocols:
       udp:
@@ -360,6 +366,14 @@ firewall__forward:
           - 80
           - 443
     verdict: accept
+  # Tor: SSH
+  - dst: tor.pub
+    protocols:
+      tcp:
+        dport: 
+          - 22
+          - 4444
+    verdict: accept
 
 firewall__nat:
   - src: 10.0.0.0/8
diff --git a/host_vars/ns-master.int.infra.auro.re/knotd.yml b/host_vars/ns-master.int.infra.auro.re/knotd.yml
index 6b0238b..c65b20d 100644
--- a/host_vars/ns-master.int.infra.auro.re/knotd.yml
+++ b/host_vars/ns-master.int.infra.auro.re/knotd.yml
@@ -351,6 +351,10 @@ knotd__hosts:
       - 92.222.211.194
     tor.pub:
       - 45.66.111.215
+      - 2a09:6840:215::1:215
+    jitsi.pub:
+      - 45.66.111.216
+      - 2a09:6840:215::1:216
 
 knotd__zones:
   auro.re: