diff --git a/firewall.yml b/firewall.yml
index 82ee02d..9c8098d 100644
--- a/firewall.yml
+++ b/firewall.yml
@@ -1,3 +1,5 @@
+- hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-macbookair.lan
+  tasks: []
 - hosts: router
   roles:
       - firewall
diff --git a/production/hosts b/production/hosts
index 71f73fd..162075e 100644
--- a/production/hosts
+++ b/production/hosts
@@ -8,7 +8,6 @@ machinbox.mateu.be
 claude.dmz.mateu.be
 dimitri.dmz.mateu.be
 edelgard.dmz.mateu.be
-rhea.dmz.mateu.be
 
 [borgbackup:children]
 borg_server
diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index ebc712d..7f3ecba 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -438,6 +438,15 @@ config zone
 	option masq '1'
 	option mtu_fix '1'
 
+config zone
+	option name 'orig'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option network 'wan'
+	option masq '1'
+	option mtu_fix '1'
+
 config forwarding
 	option src 'lan'
 	option dest 'wan'
@@ -446,6 +455,10 @@ config forwarding
 	option src 'lan'
 	option dest 'dmz'
 
+config forwarding
+	option src 'lan'
+	option dest 'orig'
+
 config include
 	option path '/etc/firewall.user'