diff --git a/files/firewall b/files/firewall
index 43c7869..634a332 100755
--- a/files/firewall
+++ b/files/firewall
@@ -46,11 +46,26 @@ case $1 in
         iptables -P INPUT DROP
 
 
+       ## some rules for bastion boxes to protect the mgmt networks
+        iptables -F FORWARD
+        iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED      -j ACCEPT
+        iptables -A FORWARD -o mgmtgw1 -j DROP
+        iptables -A FORWARD -i ipmigw1 -j DROP
+        iptables -A FORWARD -o ipmigw1 -j DROP
+
+
        #special tables
         iptables -t mangle -F
         iptables -t nat -F
         iptables -t raw -F
 
+
+       # this matters only on bastion boxes
+        iptables -t raw -A PREROUTING -i mgmtgw1  -j ACCEPT
+        iptables -t raw -A OUTPUT     -o mgmtgw1  -j ACCEPT
+        iptables -t raw -A PREROUTING -i ipmigw1  -j ACCEPT
+        iptables -t raw -A OUTPUT     -o ipmigw1  -j ACCEPT
+       # this matters on all boxes
         iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
         iptables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
         iptables -t raw -A PREROUTING          -j NOTRACK
@@ -85,15 +100,30 @@ case $1 in
         ip6tables -P INPUT DROP
 
 
+       ## some rules for bastion boxes to protect the mgmt networks
+        ip6tables -F FORWARD
+        ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED      -j ACCEPT
+        ip6tables -A FORWARD -o mgmtgw1 -j DROP
+        ip6tables -A FORWARD -i ipmigw1 -j DROP
+        ip6tables -A FORWARD -o ipmigw1 -j DROP
+
+
        #special tables
         ip6tables -t mangle -F
         ip6tables -t nat -F
         ip6tables -t raw -F
 
-        ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
-        ip6tables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
-        ip6tables -t raw -A PREROUTING          -j NOTRACK
-        ip6tables -t raw -A OUTPUT              -j NOTRACK
+
+       # this matters only on bastion boxes
+        ip6tables -t raw -A PREROUTING -i mgmtgw1  -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmtgw1  -j ACCEPT
+        ip6tables -t raw -A PREROUTING -i ipmigw1  -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o ipmigw1  -j ACCEPT
+       # this matters on all boxes
+        ip6tables -t raw -A PREROUTING -i mgmt1    -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmt     -j ACCEPT
+        ip6tables -t raw -A PREROUTING             -j NOTRACK
+        ip6tables -t raw -A OUTPUT                 -j NOTRACK
 
 
        #some boxes get special addon rules