diff --git a/roles/firewall/files/haproxy.cfg b/roles/firewall/files/haproxy.cfg
index 82ac32d3c5fd0b99c733b9ed7b513cef9bab5896..6093e4de804a04ea8496aab02fbf955d6f64ec2f 100644
--- a/roles/firewall/files/haproxy.cfg
+++ b/roles/firewall/files/haproxy.cfg
@@ -248,7 +248,16 @@ backend foreman
 
 backend ceph_dashboard
     mode http
+
+    option httpchk GET /
+    http-check expect status 200
+
+    http-response add-header X-Frame-Options: ALLOW
+
     server rz-sp-virt-01 192.168.123.11:8080 check
+    server rz-sp-virt-02 192.168.123.12:8080 check
+    server rz-sp-virt-04 192.168.123.14:8080 check
+
 
 backend local_nginx
     mode http
diff --git a/roles/firewall/files/shorewall/hosts b/roles/firewall/files/shorewall/hosts
index e9d277c7c209190ef7016e129ce0a9933b74c6b1..e9c6593613a41601fbf437a19cc3f198c4d29dd6 100644
--- a/roles/firewall/files/shorewall/hosts
+++ b/roles/firewall/files/shorewall/hosts
@@ -32,6 +32,8 @@
 	admcli		br-wan:87.162.124.119
 	# monitoring-extern
 	admcli		br-wan:23.88.122.18
+        # Hetzner magicfelix
+        admcli		br-wan:168.119.166.244
 ?endif
 
 ?if __IPV6
diff --git a/roles/firewall/files/shorewall/params b/roles/firewall/files/shorewall/params
index 549bbde5641e3d96293e104c0c09cb264cb394d8..e6df58a79a5dd0cd231733e5653e3a7c0c18f946 100644
--- a/roles/firewall/files/shorewall/params
+++ b/roles/firewall/files/shorewall/params
@@ -62,7 +62,7 @@ PROXMOX_HOSTS=192.168.123.11,192.168.123.12,192.168.123.13,192.168.123.14
 
 # Blocklists
 
-BADGUYS=101.64.0.0/13,183.128.0.0/11 
+BADGUYS=101.64.0.0/13,183.128.0.0/11,111.0.0.0/10,36.99.0.0/16,31.210.37.0/24
 
 # Hosts
 
@@ -76,3 +76,6 @@ MEDIA=91.184.37.239
 CLOUD=91.184.37.233
 RZ_SP_BACKUP_01=91.184.37.163
 WWW_ALT=91.184.37.227
+
+# Users
+HETZNER_MAGICFELIX=168.119.166.244/32
diff --git a/roles/firewall/files/shorewall/rules b/roles/firewall/files/shorewall/rules
index 70a1d02b3b842f0b936b82cd3736b619fcd274ff..3eaae84043c7f2e84f6f7a5cda8717f1180e5227 100644
--- a/roles/firewall/files/shorewall/rules
+++ b/roles/firewall/files/shorewall/rules
@@ -20,6 +20,9 @@
 ?SECTION UNTRACKED
 ?SECTION NEW
 
+# Drop nervigen Foo
+DROP			all:$BADGUYS				all
+
 # Unbreak the internet
 ACCEPT			all				all				icmp
 
@@ -176,6 +179,7 @@ Web/ACCEPT  all  fw:$HAPROXY_ADMINS
 ACCEPT				intern:192.168.124.26/32	all
 Web/ACCEPT			all!wan				intern:192.168.124.26/32
 
+ACCEPT		wan:$HETZNER_MAGICFELIX		intern:91.184.37.169/32
+
 ACCEPT				all				mgmt:$PROXMOX_HOSTS	tcp	80
 
-DROP:info			all:$BADGUYS				all
diff --git a/roles/firewall/files/shorewall/snat b/roles/firewall/files/shorewall/snat
index ef8aacdf31238769fbdab459ad89cba29775c402..6dc4e0efd298a8d9849687df763cd7d8291dd72f 100644
--- a/roles/firewall/files/shorewall/snat
+++ b/roles/firewall/files/shorewall/snat
@@ -1,5 +1,5 @@
 ?if __IPV4
-MASQUERADE	10.0.0.0/8		br-wan
+SNAT(91.184.32.117)    10.0.0.0/8              br-wan
 MASQUERADE	192.168.123.0/24	br-wan
 MASQUERADE      192.168.124.0/24        br-wan
 MASQUERADE	172.16.30.0/24		br-wan