diff --git a/scripts/setup-clickhouse.sh b/scripts/setup-clickhouse.sh
index 6f0f38b..74823fd 100755
--- a/scripts/setup-clickhouse.sh
+++ b/scripts/setup-clickhouse.sh
@@ -6,6 +6,7 @@
 # Usage (from repo root or any path):
 #   bash scripts/setup-clickhouse.sh
 #   bash scripts/setup-clickhouse.sh --purge-existing   # one line; do not split after "--"
+#   bash scripts/setup-clickhouse.sh --listen-all-interfaces   # HTTP 8123 / native 9000 on 0.0.0.0 (see firewall)
 #   CLICKHOUSE_CHANNEL=lts bash scripts/setup-clickhouse.sh
 #
 # Env:
@@ -73,13 +74,16 @@ CLICKHOUSE_LIST="/etc/apt/sources.list.d/clickhouse.list"
 KEYRING="/usr/share/keyrings/clickhouse-keyring.gpg"
 CHANNEL="${CLICKHOUSE_CHANNEL:-stable}"
 PURGE_EXISTING=false
+LISTEN_ALL_INTERFACES=false
 
 for arg in "$@"; do
   case "$arg" in
     --purge-existing) PURGE_EXISTING=true ;;
+    --listen-all-interfaces) LISTEN_ALL_INTERFACES=true ;;
     -h|--help)
-      echo "Usage: $0 [--purge-existing]"
-      echo "  --purge-existing   apt purge existing clickhouse* packages before installing (destructive for old installs)."
+      echo "Usage: $0 [--purge-existing] [--listen-all-interfaces]"
+      echo "  --purge-existing           apt purge existing clickhouse* packages before installing (destructive for old installs)."
+      echo "  --listen-all-interfaces   bind HTTP (8123) and native (9000) on 0.0.0.0 — open cloud NSG/ufw + use strong passwords."
       echo "  Env: CLICKHOUSE_CHANNEL=stable|lts (default: stable), WAIT_FOR_APT_LOCK_SEC (default: 900)"
       exit 0
       ;;
@@ -140,6 +144,19 @@ echo "==> Enabling and starting clickhouse-server..."
 sudo systemctl enable --now clickhouse-server
 sudo systemctl --no-pager --full status clickhouse-server || true
 
+if [[ "$LISTEN_ALL_INTERFACES" == "true" ]]; then
+  echo "==> Binding ClickHouse to all IPv4 interfaces (0.0.0.0) for remote HTTP/native..."
+  sudo tee /etc/clickhouse-server/config.d/99-listen-all-interfaces.xml >/dev/null <<'EOF'
+<clickhouse>
+    <!-- Default install often listens only on loopback; this allows e.g. http://SERVER_IP:8123 from other hosts. -->
+    <listen_host>0.0.0.0</listen_host>
+</clickhouse>
+EOF
+  sudo systemctl restart clickhouse-server
+  sudo systemctl --no-pager --full status clickhouse-server || true
+  echo "    Open inbound TCP 8123 (and 9000 if you use native clients) in your cloud NSG / security group and ufw."
+fi
+
 echo "==> Verifying..."
 if clickhouse-client -q "SELECT version(), 1" 2>/dev/null; then
   echo "ClickHouse responded OK."
@@ -151,4 +168,7 @@ fi
 
 echo ""
 echo "Done. Client: clickhouse-client | HTTP default :8123 | native default :9000"
-echo "Optional: open ports in ufw / cloud NSG only if you need remote access."
+if [[ "$LISTEN_ALL_INTERFACES" != "true" ]]; then
+  echo "Remote browser/API to this host: re-run with --listen-all-interfaces or add listen_host in /etc/clickhouse-server/config.d/"
+  echo "  (default is often localhost-only, so http://PUBLIC_IP:8123 will not work until you do)."
+fi