diff --git a/modules/module-list.nix b/modules/module-list.nix
index 4c2223d..b36d85c 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -14,6 +14,7 @@
   ./system/defaults/dock.nix
   ./system/defaults/finder.nix
   ./system/defaults/screencapture.nix
+  ./system/defaults/alf.nix
   ./system/defaults/smb.nix
   ./system/defaults/trackpad.nix
   ./system/etc.nix
diff --git a/modules/system/defaults-write.nix b/modules/system/defaults-write.nix
index 889400b..bf9f2f4 100644
--- a/modules/system/defaults-write.nix
+++ b/modules/system/defaults-write.nix
@@ -26,6 +26,7 @@ let
   LaunchServices = defaultsToList "com.apple.LaunchServices" cfg.LaunchServices;
   dock = defaultsToList "com.apple.dock" cfg.dock;
   finder = defaultsToList "com.apple.finder" cfg.finder;
+  alf = defaultsToList "/Library/Preferences/com.apple.alf" cfg.alf;
   smb = defaultsToList "/Library/Preferences/SystemConfiguration/com.apple.smb.server" cfg.smb;
   screencapture = defaultsToList "com.apple.screencapture" cfg.screencapture;
   trackpad = defaultsToList "com.apple.AppleMultitouchTrackpad" cfg.trackpad;
@@ -37,10 +38,11 @@ in
 {
   config = {
 
-    system.activationScripts.defaults.text = mkIfAttrs [ smb ]
+    system.activationScripts.defaults.text = mkIfAttrs [ alf smb ]
       ''
         # Set defaults
         echo >&2 "system defaults..."
+        ${concatStringsSep "\n" alf}
         ${concatStringsSep "\n" smb}
       '';
 
diff --git a/modules/system/defaults/alf.nix b/modules/system/defaults/alf.nix
new file mode 100644
index 0000000..f62ead2
--- /dev/null
+++ b/modules/system/defaults/alf.nix
@@ -0,0 +1,69 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options = {
+    system.defaults.alf.globalstate = mkOption {
+      type = types.nullOr types.int;
+      default = null;
+      description = ''
+        # Apple menu > System Preferences > Security and Privacy > Firewall
+        Enable the internal firewall to prevent unauthorised applications, programs
+        and services from accepting incoming connections.
+
+        0 = disabled
+        1 = enabled
+        2 = blocks all connections except for essential services
+      '';
+    };
+
+    system.defaults.alf.allowsignedenabled = mkOption {
+      type = types.nullOr types.int;
+      default = null;
+      description = ''
+        # Apple menu > System Preferences > Security and Privacy > Firewall
+        Allows any signed Application to accept incoming requests. Default is true.
+
+        0 = disabled
+        1 = enabled
+      '';
+    };
+
+    system.defaults.alf.allowdownloadsignedenabled = mkOption {
+      type = types.nullOr types.int;
+      default = null;
+      description = ''
+        # Apple menu > System Preferences > Security and Privacy > Firewall
+        Allows any downloaded Application that has been signed to accept incoming requests. Default is 0.
+
+        0 = disabled
+        1 = enabled
+      '';
+    };
+
+    system.defaults.alf.loggingenabled = mkOption {
+      type = types.nullOr types.int;
+      default = null;
+      description = ''
+        # Apple menu > System Preferences > Security and Privacy > Firewall
+        Enable logging of requests made to the firewall. Default is 0.
+
+        0 = disabled
+        1 = enabled
+      '';
+    };
+
+    system.defaults.alf.stealthenabled = mkOption {
+      type = types.nullOr types.int;
+      default = null;
+      description = ''
+        # Apple menu > System Preferences > Security and firewall
+        Drops incoming requests via ICMP such as ping requests. Default is 0.
+
+        0 = disabled
+        1 = enabled
+      '';
+    };
+  };
+}