diff --git a/install.sh b/install.sh
index 01e645d..572bd52 100755
--- a/install.sh
+++ b/install.sh
@@ -628,8 +628,9 @@ Requires=postgresql.service manticore.service
 Type=simple
 User=${AM_USER}
 Group=${AM_USER}
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# CAP_NET_ADMIN: required for the admin "enable firewall" action (nft -f /etc/nftables.conf)
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
 ExecStart=${INSTALL_DIR}/archivmail --config ${CONFIG_DIR}/config.yml
 Restart=on-failure
 RestartSec=5