diff --git a/sample-rc.d/rc.firewall-float b/sample-rc.d/rc.firewall-float
index 97a5213..d6f4787 100755
--- a/sample-rc.d/rc.firewall-float
+++ b/sample-rc.d/rc.firewall-float
@@ -2,6 +2,7 @@
 
 # The name of the main external interface.
 EX_IF="eth0"
+
 # The name of the Private network interface.
 PRI_IF="eth1"
 
@@ -11,135 +12,191 @@ PRIMARYIP6="2a02:2498:1:227::FIXME"
 FLOATINGIP="91.109.244.FIXME"
 FLOATINGIP6="2a02:2498:1:227::FIXME"
 
-# Disable ICMP redirects.
-# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
-# the sending host that it should forward subsequent packets to that same destination through a different gateway.
-echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
-echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
-echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+# The IP ranges from where to accept unfiltered connections
+UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
 
-# Flush old rules.
-iptables -F
-ip6tables -F
-iptables -t nat -F
-ip6tables -t nat -F
-iptables -t mangle -F
-ip6tables -t mangle -F
 
-# Delete any custom chains.
-iptables -X
-ip6tables -X
-iptables -t nat -X
-ip6tables -t nat -X
-iptables -t mangle -X
-ip6tables -t mangle -X
+start_firewall() {
+  # Disable ICMP redirects.
+  # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
+  # the sending host that it should forward subsequent packets to that same destination through a different gateway.
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
 
-# Drop invalid packets on all interfaces.
-iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
-ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
+  # Flush old rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
 
-# Drop unroutable IPs on the external interface.
-iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
-ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
 
-# Allow all loopback traffic.
-iptables -A INPUT -i lo -j ACCEPT
-ip6tables -A INPUT -i lo -j ACCEPT
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
 
-# Allow all Private network traffic.
-iptables -A INPUT -i "$PRI_IF" -j ACCEPT
-ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
+  # Allow all Private network traffic.
+  iptables -A INPUT -i "$PRI_IF" -j ACCEPT
+  ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
 
-# Allow unrestricted access from our IPs.
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT
+  # Drop invalid packets on all interfaces.
+  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+  ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
 
-# Allow packets of established connections and those related to them.
-iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  # Drop unroutable IPs on the external interface.
+  iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
+  ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 
-# Allow pings, but ratelimited.
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
+  # Allow unrestricted access from our IPs.
+  for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
+    iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
+  done
+  for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
+    ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
+  done
 
-# Allow certain types of ICMP informational packets.
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
+  # Allow packets of established connections and those related to them.
+  iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-# Always allow SSH.
-# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-# set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+  # Allow pings.
+  iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
 
-# Service: DNS.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  # Allow certain types of ICMP informational packets.
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
-# Service: HTTP{,S}.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
+  # Always allow SSH.
+  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
+  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: FTP{,S}.
-# Note: This is a very permissive configuration - it leaves the high ports completely open.  To close it down,
-# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
-# modprobe nf_conntrack_ftp
-echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper	# Required to allow nf_conntrack_ftp to actually work.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: DNS.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" --dport 53 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: rsync.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: HTTP{,S}.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: SMTP and submission.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: FTP{,S}.
+  # Note: This is a very permissive configuration - it leaves the high ports completely open.  To close it down,
+  # change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
+  # modprobe nf_conntrack_ftp
+  echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper	# Required to allow nf_conntrack_ftp to actually work.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: IMAP{,S}.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: rsync.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$FLOATINGIP6" --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: POP3{,S}.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: SMTP and submission.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: Bittorrent.
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: IMAP{,S}.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
 
-# Set default policies.
-iptables -P INPUT DROP
-ip6tables -P INPUT DROP
-iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
-ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
-iptables -P FORWARD DROP
-ip6tables -P FORWARD DROP
+  # Service: POP3{,S}.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
+
+  # Service: Bittorrent.
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -d "$PRIMARYIP6" --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p udp -d "$PRIMARYIP6" -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+
+  # Set default policies.
+  iptables -P INPUT DROP
+  ip6tables -P INPUT DROP
+  iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
+  ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
+  iptables -P FORWARD DROP
+  ip6tables -P FORWARD DROP
+}
+
+stop_firewall() {
+  # Set default policies to ACCEPT.
+  iptables -P INPUT ACCEPT
+  ip6tables -P INPUT ACCEPT
+  iptables -P OUTPUT ACCEPT
+  ip6tables -P OUTPUT ACCEPT
+  iptables -P FORWARD ACCEPT
+  ip6tables -P FORWARD ACCEPT
+
+  # Flush rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
+
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
+
+  # Reset ICMP redirects.
+  cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+}
+
+
+case "$1" in
+  'start')
+      start_firewall
+    ;;
+  'stop')
+      stop_firewall
+    ;;
+  'restart')
+      stop_firewall
+      start_firewall
+    ;;
+  *)
+    echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
+    ERR=1
+    ;;
+esac
diff --git a/sample-rc.d/rc.firewall-guests b/sample-rc.d/rc.firewall-guests
index 231e245..7dec7a1 100755
--- a/sample-rc.d/rc.firewall-guests
+++ b/sample-rc.d/rc.firewall-guests
@@ -2,138 +2,195 @@
 
 # The name of the main external interface.
 EX_IF="eth0"
+
 # The name of the Private network interface.
 PRI_IF="eth1"
 
-# Disable ICMP redirects.
-# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
-# the sending host that it should forward subsequent packets to that same destination through a different gateway.
-echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
-echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
-echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+# The IP ranges from where to accept unfiltered connections
+UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
 
-# Flush old rules.
-iptables -F
-ip6tables -F
-iptables -t nat -F
-ip6tables -t nat -F
-iptables -t mangle -F
-ip6tables -t mangle -F
 
-# Delete any custom chains.
-iptables -X
-ip6tables -X
-iptables -t nat -X
-ip6tables -t nat -X
-iptables -t mangle -X
-ip6tables -t mangle -X
+start_firewall() {
+  # Disable ICMP redirects.
+  # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
+  # the sending host that it should forward subsequent packets to that same destination through a different gateway.
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
 
-# Drop invalid packets on all interfaces.
-iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
-ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
+  # Flush old rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
 
-# Drop unroutable IPs on the external interface.
-iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
-ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
 
-# Allow all loopback traffic.
-iptables -A INPUT -i lo -j ACCEPT
-ip6tables -A INPUT -i lo -j ACCEPT
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
 
-# Allow all Private network traffic.
-iptables -A INPUT -i "$PRI_IF" -j ACCEPT
-ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
+  # Allow all Private network traffic.
+  iptables -A INPUT -i "$PRI_IF" -j ACCEPT
+  ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
 
-# Allow unrestricted access from our IPs.
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT
+  # Drop invalid packets on all interfaces.
+  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+  ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
 
-# Allow packets of established connections and those related to them.
-iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  # Drop unroutable IPs on the external interface.
+  iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
+  ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 
-# Allow pings, but ratelimited.
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
+  # Allow unrestricted access from our IPs.
+  for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
+    iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
+  done
+  for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
+    ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
+  done
 
-# Allow certain types of ICMP informational packets.
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
+  # Allow packets of established connections and those related to them.
+  iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-# Always allow SSH.
-# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-# set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+  # Allow pings.
+  iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
 
-# Service: DNS.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  # Allow certain types of ICMP informational packets.
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
-# Service: HTTP{,S}.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
+  # Always allow SSH.
+  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
+  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: FTP{,S}.
-# Note: This is a very permissive configuration - it leaves the high ports completely open.  To close it down,
-# change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
-modprobe nf_conntrack_ftp
-echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper	# Required to allow nf_conntrack_ftp to actually work.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: DNS.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: rsync.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: HTTP{,S}.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: SMTP and submission.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: FTP{,S}.
+  # Note: This is a very permissive configuration - it leaves the high ports completely open.  To close it down,
+  # change the last two rules to "ESTABLISHED,RELATED" state; but this will prevent ftps passive from working.
+  modprobe nf_conntrack_ftp
+  echo 1 >/proc/sys/net/netfilter/nf_conntrack_helper	# Required to allow nf_conntrack_ftp to actually work.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 21,990 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 20,989 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: IMAP{,S}.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: rsync.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn --dport 873 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: POP3{,S}.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: SMTP and submission.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 25,587 -m conntrack --ctstate NEW -j ACCEPT
 
-# Service: Bittorrent.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  # Service: IMAP{,S}.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 143,993 -m conntrack --ctstate NEW -j ACCEPT
 
-# Set default policies.
-iptables -P INPUT DROP
-ip6tables -P INPUT DROP
-iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
-ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
-iptables -P FORWARD DROP
-ip6tables -P FORWARD DROP
+  # Service: POP3{,S}.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 110,995 -m conntrack --ctstate NEW -j ACCEPT
+
+  # Service: Bittorrent.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 6881:6899 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p udp -m multiport --dports 49152:65534 -m conntrack --ctstate NEW -j ACCEPT
+
+  # Set default policies.
+  iptables -P INPUT DROP
+  ip6tables -P INPUT DROP
+  iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
+  ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
+  iptables -P FORWARD DROP
+  ip6tables -P FORWARD DROP
+}
+
+stop_firewall() {
+  # Set default policies to ACCEPT.
+  iptables -P INPUT ACCEPT
+  ip6tables -P INPUT ACCEPT
+  iptables -P OUTPUT ACCEPT
+  ip6tables -P OUTPUT ACCEPT
+  iptables -P FORWARD ACCEPT
+  ip6tables -P FORWARD ACCEPT
+
+  # Flush rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
+
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
+
+  # Reset ICMP redirects.
+  cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+}
+
+
+case "$1" in
+  'start')
+      start_firewall
+    ;;
+  'stop')
+      stop_firewall
+    ;;
+  'restart')
+      stop_firewall
+      start_firewall
+    ;;
+  *)
+    echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
+    ERR=1
+    ;;
+esac
diff --git a/sample-rc.d/rc.firewall-hosts b/sample-rc.d/rc.firewall-hosts
deleted file mode 100755
index 2bb8aad..0000000
--- a/sample-rc.d/rc.firewall-hosts
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/bash
-
-# The name of the main external interface.
-EX_IF="br0"
-
-# Disable ICMP redirects.
-# Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
-# the sending host that it should forward subsequent packets to that same destination through a different gateway.
-echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
-echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
-echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
-
-# Flush old rules.
-iptables -F
-ip6tables -F
-iptables -t nat -F
-ip6tables -t nat -F
-iptables -t mangle -F
-ip6tables -t mangle -F
-
-# Delete any custom chains.
-iptables -X
-ip6tables -X
-iptables -t nat -X
-ip6tables -t nat -X
-iptables -t mangle -X
-ip6tables -t mangle -X
-
-# Drop invalid packets on all interfaces.
-iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
-ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
-
-# Drop unroutable IPs on the external interface.
-iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
-ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
-iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
-
-# Allow all loopback traffic.
-iptables -A INPUT -i lo -j ACCEPT
-ip6tables -A INPUT -i lo -j ACCEPT
-
-# Allow unrestricted access from our IPs.
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.78-91.109.244.79 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.239-91.109.244.243 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -s 2a02:2498:1:227::/64 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -s 185.176.90.169 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -s 2a07:4580:b0d:57f::/64 -j ACCEPT
-
-# Allow packets of established connections and those related to them.
-iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-
-# Allow pings, but ratelimited.
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -m limit --limit 1/sec --limit-burst 5 -j ACCEPT
-
-# Allow certain types of ICMP informational packets.
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-
-# Always allow SSH.
-# Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
-# set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
-iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
-ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
-
-# Set default policies.
-iptables -P INPUT DROP
-ip6tables -P INPUT DROP
-iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
-ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
-iptables -P FORWARD DROP
-ip6tables -P FORWARD DROP
diff --git a/sample-rc.d/rc.firewall-hypervisors b/sample-rc.d/rc.firewall-hypervisors
new file mode 100755
index 0000000..47623a6
--- /dev/null
+++ b/sample-rc.d/rc.firewall-hypervisors
@@ -0,0 +1,148 @@
+#!/bin/bash
+
+# The name of the main external interface.
+EX_IF="br0"
+
+# The name of the Private network interface.
+PRI_IF="br1"
+
+# The IP ranges from where to accept unfiltered connections
+UNFILTERED_RANGES_V4=('91.109.244.7-91.109.244.11' '91.109.244.78-91.109.244.79' '91.109.244.239-91.109.244.243' '185.176.90.169')
+UNFILTERED_RANGES_V6=('2a02:2498:1:227::/64' '2a07:4580:b0d:57f::/64')
+
+
+start_firewall() {
+  # Disable ICMP redirects.
+  # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
+  # the sending host that it should forward subsequent packets to that same destination through a different gateway.
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  echo 0 >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+
+  # Flush old rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
+
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
+
+  # Allow all loopback traffic.
+  iptables -A INPUT -i lo -j ACCEPT
+  ip6tables -A INPUT -i lo -j ACCEPT
+
+  # Allow all Private network traffic.
+  iptables -A INPUT -i "$PRI_IF" -j ACCEPT
+  ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
+
+  # Drop invalid packets on all interfaces.
+  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
+  ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
+
+  # Drop unroutable IPs on the external interface.
+  iptables -A INPUT -i "$EX_IF" -s 127.0.0.0/8 -j DROP
+  ip6tables -A INPUT -i "$EX_IF" -s ::1/128 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 10.0.0.0/8 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 172.16.0.0/12 -j DROP
+  iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
+
+  # Allow unrestricted access from our IPs.
+  for IPRANGE in "${UNFILTERED_RANGES_V4[@]}"; do
+    iptables -A INPUT -i "$EX_IF" -m iprange --src-range "$IPRANGE" -j ACCEPT
+  done
+  for IPRANGE in "${UNFILTERED_RANGES_V6[@]}"; do
+    ip6tables -A INPUT -i "$EX_IF" -s "$IPRANGE" -j ACCEPT
+  done
+
+  # Allow packets of established connections and those related to them.
+  iptables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
+  # Allow pings.
+  iptables -A INPUT -i "$EX_IF" -p icmp -m icmp --icmp-type echo-request -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type echo-reply -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
+
+  # Allow certain types of ICMP informational packets.
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type destination-unreachable -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type time-exceeded -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+  iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
+
+  # Always allow SSH.
+  # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get
+  # set back to defaults.  Any connections to the standard port will just get a 'connection refused' message, unless this happens.
+  iptables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+  ip6tables -A INPUT -i "$EX_IF" -p tcp --syn -m multiport --dports 22,9922 -m conntrack --ctstate NEW -j ACCEPT
+
+  # Set default policies.
+  iptables -P INPUT DROP
+  ip6tables -P INPUT DROP
+  iptables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
+  ip6tables -P OUTPUT ACCEPT		# We don't firewall outgoing connections.
+  iptables -P FORWARD DROP
+  ip6tables -P FORWARD DROP
+}
+
+stop_firewall() {
+  # Set default policies to ACCEPT.
+  iptables -P INPUT ACCEPT
+  ip6tables -P INPUT ACCEPT
+  iptables -P OUTPUT ACCEPT
+  ip6tables -P OUTPUT ACCEPT
+  iptables -P FORWARD ACCEPT
+  ip6tables -P FORWARD ACCEPT
+
+  # Flush rules.
+  iptables -F
+  ip6tables -F
+  iptables -t nat -F
+  ip6tables -t nat -F
+  iptables -t mangle -F
+  ip6tables -t mangle -F
+
+  # Delete any custom chains.
+  iptables -X
+  ip6tables -X
+  iptables -t nat -X
+  ip6tables -t nat -X
+  iptables -t mangle -X
+  ip6tables -t mangle -X
+
+  # Reset ICMP redirects.
+  cat /proc/sys/net/ipv4/conf/default/accept_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv6/conf/default/accept_redirects >"/proc/sys/net/ipv6/conf/$EX_IF/accept_redirects"
+  cat /proc/sys/net/ipv4/conf/default/send_redirects >"/proc/sys/net/ipv4/conf/$EX_IF/send_redirects"
+}
+
+
+case "$1" in
+  'start')
+      start_firewall
+    ;;
+  'stop')
+      stop_firewall
+    ;;
+  'restart')
+      stop_firewall
+      start_firewall
+    ;;
+  *)
+    echo "Usage: $BASH_SOURCE <start|stop|restart>" >&2
+    ERR=1
+    ;;
+esac
diff --git a/sample-rc.d/rc.firewall-old b/sample-rc.d/rc.firewall-old
deleted file mode 100755
index 7b020f8..0000000
--- a/sample-rc.d/rc.firewall-old
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-IPTABLES=/usr/sbin/iptables
-
-# Flush the tables.
-$IPTABLES -F
-
-# Drop bootp ports.
-$IPTABLES -m multiport -A INPUT -p tcp --dports 67,68 -j DROP
-$IPTABLES -m multiport -A INPUT -p udp --dports 67,68 -j DROP
-
-# Drop netbios ports.
-$IPTABLES -m multiport -A INPUT -p tcp --dports 137,138,139 -j DROP
-$IPTABLES -m multiport -A INPUT -p udp --dports 137,138,139 -j DROP