diff --git a/_posts/2015-06-12-ufw.md b/_posts/2015-06-12-ufw.md
index 21e3d8b..055fa11 100644
--- a/_posts/2015-06-12-ufw.md
+++ b/_posts/2015-06-12-ufw.md
@@ -23,8 +23,8 @@ ufw default allow outgoing
 systemctl enable ufw && systemctl start ufw
 ufw enable
 ufw reject 113
-ufw allow 631
-ufw allow 5353/udp
+ufw allow from 172.16.0.0/16 to any port 631
+ufw allow from 172.16.0.0/16 to any port 5353
 ufw allow 17500/tcp
 ufw allow 60000:61000/udp
 ```
@@ -42,8 +42,9 @@ ufw allow 60000:61000/udp
   This makes ident checking IRC servers connect faster as they don't have
   to timeout. If you run shell server (for IRC purpouses) you should allow
   this instead.
-* 631/cups — Allow access to cups for printer sharing
-* 5353/mdns/Avahi — used for `.local` addresses
+* 631/cups — Allow access to cups for printer sharing from local network
+* 5353/mdns/Avahi — used for `.local` addresses and probably not needed
+  outside local network
 * 17500/Dropbox — which I use everywhere
 * 60000:61000/mosh — I feel this is the most insecure part of this setup
   and there should be something bettter instead of this.