diff --git a/ferm-eva.conf b/ferm-eva.conf
new file mode 100755
index 0000000..15c2b04
--- /dev/null
+++ b/ferm-eva.conf
@@ -0,0 +1,42 @@
+@def $bridge = br0;
+@def $internet = ens3;
+@def $search_domain = "eva.higgsboson.tk";
+@def $public_ipv4 = `ip a s ens3 | awk '$0 ~ "inet " { split($2,a,"/"); print a[1] }'`;
+@def $public_ipv6 = `ip a s ens3 | awk '$0 ~ "inet6 " && !($2 ~ /^fe80/) { split($2,a,"/"); print a[1] }'`;
+
+include "ferm.d/functions";
+include `find ferm.d/services/*`;
+
+domain (ip ip6) {
+  table nat {
+    chain PREROUTING policy ACCEPT;
+    chain POSTROUTING policy ACCEPT;
+    chain INPUT policy ACCEPT;
+    chain OUTPUT policy ACCEPT;
+  }
+  table filter {
+    chain FORWARD {
+      interface $bridge protocol tcp dport smtp REJECT reject-with tcp-reset;
+
+      # dn42 -> is filtered in dn42 container
+      interface $bridge mod physdev physdev-out lxc_dn42 ACCEPT;
+
+      interface $bridge outerface $internet ACCEPT;
+    }
+    chain (INPUT FORWARD) {
+      policy DROP;
+      interface lo ACCEPT;
+      protocol icmp ACCEPT;
+      mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
+
+      LOG log-prefix "iptables reject:";
+      protocol tcp REJECT reject-with tcp-reset;
+      REJECT reject-with icmp-port-unreachable;
+    }
+    chain OUTPUT policy ACCEPT;
+  }
+}
+
+domain ip table nat {
+  chain POSTROUTING outerface $internet MASQUERADE;
+}
diff --git a/services-eva/00-local b/services-eva/00-local
new file mode 100644
index 0000000..690353e
--- /dev/null
+++ b/services-eva/00-local
@@ -0,0 +1,2 @@
+&allow_local(tcp, 22); # SSH
+&allow_local(udp, 60000:60010); # Mosh
diff --git a/services-eva/45-dn42 b/services-eva/45-dn42
new file mode 100644
index 0000000..e2a1784
--- /dev/null
+++ b/services-eva/45-dn42
@@ -0,0 +1,10 @@
+@def $dn42_ip4 = @resolve(dn42, A);
+@def $dn42_ip6 = @resolve(ipv6.dn42.eva.higgsboson.tk, AAAA);
+domain (ip ip6) table filter chain FORWARD proto udp dport 6001:6020 daddr @ipfilter(($dn42_ip4 $dn42_ip6)) ACCEPT;
+domain (ip ip6) table nat chain PREROUTING interface $internet proto udp dport 6001:6020 DNAT to @ipfilter(($dn42_ip4 $dn42_ip6));
+
+&def_service(evenet, dn42, udp, 21);
+&forward_to_service(evenet, udp, 21);
+&forward_to_service(evenet, udp, 123);
+&def_service(evenet-tcp, dn42, tcp, 443); 
+&forward_to_service(evenet-tcp, tcp, 443);
diff --git a/services-eva/45-dns b/services-eva/45-dns
new file mode 100644
index 0000000..fcf2a25
--- /dev/null
+++ b/services-eva/45-dns
@@ -0,0 +1,6 @@
+&def_service(dns, dns, udp, 53);
+&def_service(dns2, dns, tcp, 53);
+&forward_to_service(dns, udp, 53);
+&forward_to_service(dns2, tcp, 53);
+&allow_service_for_all(dns);
+&allow_service_for_all(dns2);