diff --git a/debian/postinst b/debian/postinst
index 321fd58..c96044a 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -418,7 +418,7 @@ case "$1" in
         systemctl enable strongswan || true       ## in case we kick-start or done have it enabled for some reason
         systemctl enable firewall
         systemctl restart firewall
-        systemctl reload frr
+        ## systemctl reload frr  ## still too dangerous? failed heavy on last attempt
 
     ## END services section
 
diff --git a/files/firewall b/files/firewall
index f1c7b01..ab9e94f 100755
--- a/files/firewall
+++ b/files/firewall
@@ -23,6 +23,10 @@ case $1 in
         iptables -A INPUT                                                   -p udp   --dport   4500 --sport 4500                     -j ACCEPT   -m comment --comment "ipsec"
         iptables -A INPUT                                                   -p icmp                                                  -j ACCEPT   -m comment --comment "allow pings"
 
+       ## frr local service connections
+        iptables -A INPUT -i lo                           -m multiport      -p tcp   --sports  2600:2618                             -j ACCEPT   -m comment --comment "local ceph osd traffic"
+        iptables -A INPUT -i lo                           -m multiport      -p tcp   --dports  2600:2618                             -j ACCEPT   -m comment --comment "local ceph osd traffic"
+
        ## local ceph osd services
         iptables -A INPUT -i lo                           -m multiport      -p tcp   --sports  6800:7300                             -j ACCEPT   -m comment --comment "local ceph osd traffic"
         iptables -A INPUT -i lo                           -m multiport      -p tcp   --dports  6800:7300                             -j ACCEPT   -m comment --comment "local ceph osd traffic"