diff --git a/salt/firewall/mgmt-gw.sh b/salt/firewall/mgmt-gw.sh
index 9670712..06d8bf6 100644
--- a/salt/firewall/mgmt-gw.sh
+++ b/salt/firewall/mgmt-gw.sh
@@ -3,8 +3,8 @@
 if [ "$IFACE" = "{{ interface }}" ]; then
     iptables -F FORWARD
     ip6tables -F FORWARD
-    iptables -P FORWARD REJECT
-    ip6tables -P FORWARD REJECT
+    iptables -P FORWARD DROP
+    ip6tables -P FORWARD DROP
     iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
     ip6tables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
     # DNS
@@ -18,5 +18,8 @@ if [ "$IFACE" = "{{ interface }}" ]; then
     ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
     # downloads.lede-project.org
     iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
-    iptables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
+    ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
+    # Deny by default
+    iptables -A FORWARD -j REJECT
+    ip6tables -A FORWARD -j REJECT
 fi