diff --git a/flake.nix b/flake.nix
index cfbd77c..2655ff0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -42,6 +42,28 @@
 
           qemu-uefi-tpm = pkgs.callPackage ./utils/qemu-uefi-tpm.nix { };
 
+          firewall-sysext = pkgs.callPackage ./lib/make-sysext.nix {
+            name = "firewall-tools";
+            version = "0.0.1";
+            packages = [
+              # network/firewalling
+              { drv = pkgs.iproute2; path = "bin/"; }
+              { drv = pkgs.nftables; path = "bin/"; }
+              { drv = pkgs.wireguard-tools; path = "bin/.wg-wrapped"; destpath = "bin/wg"; }
+              # deps
+              { drv = pkgs.nftables; path = "lib/"; }
+              { drv = pkgs.libnftnl; path = "lib/"; }
+              { drv = pkgs.iptables; path = "lib/"; }
+              { drv = pkgs.libgcc.lib; path = "lib/"; }
+              { drv = pkgs.libgcc; path = "lib/"; }
+              { drv = pkgs.libmnl; path = "lib/"; }
+              { drv = pkgs.gmp; path = "lib/"; }
+              { drv = pkgs.jansson.out; path = "lib/"; }
+              { drv = pkgs.ncurses.out; path = "lib/"; }
+              { drv = pkgs.libedit; path = "lib/"; }
+            ];
+          };
+
           debug-tools-sysext = pkgs.callPackage ./lib/make-sysext.nix {
             name = "debug-tools";
             version = "0.0.1";
diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index 59b04cf..70ed570 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -69,7 +69,7 @@ runCommand name
         # remove if exists
         for f in $srcfile/*; do
           basename="$(basename -- "$f")"
-          rm -f "$destfile/$basename"
+          rm -rf "$destfile/$basename"
         done
         cp -rPv "$srcfile" "$basedir"
         chmod -R 755 "$basedir"