diff --git a/host/make.sh b/host/make.sh
index d3b33ef..976a206 100644
--- a/host/make.sh
+++ b/host/make.sh
@@ -41,9 +41,8 @@ if xreadYes "# Create bridges?" BRIDGES ; then
 fi
 
 # Firewall
-# XXX this should be done after the setup process...
-if xreadYes "# Update firewall rules?" BRIDGES ; then
-	echo
+if xreadYes "# Update firewall rules?" FIREWALL ; then
+	@ cp --backup -i templates/etc/pve/firewall/cluster.fw /etc/pve/firewall/
 fi
 
 
diff --git a/host/templates/etc/firewall/cluster.fw b/host/templates/pve/etc/firewall/cluster.fw
similarity index 95%
rename from host/templates/etc/firewall/cluster.fw
rename to host/templates/pve/etc/firewall/cluster.fw
index 1c8e892..bf5a7f4 100644
--- a/host/templates/etc/firewall/cluster.fw
+++ b/host/templates/pve/etc/firewall/cluster.fw
@@ -17,7 +17,7 @@ OUT DHCPfwd(REJECT) -i vmbr0 -log nolog
 IN DNS(ACCEPT) -i vmbr0 -log nolog
 IN Ping(ACCEPT) -i vmbr0 -log nolog
 IN SSH(ACCEPT) -i vmbr0 -log nolog
-IN OpenVPN(ACCEPT) -i vmbr0 -log nolog
+|IN OpenVPN(ACCEPT) -i vmbr0 -log nolog
 IN Web(ACCEPT) -i vmbr0 -log nolog
 IN ACCEPT -i vmbr0 -p udp -dport 22027 -log nolog # syncthing
 IN ACCEPT -i vmbr0 -p udp -dport 22000 -log nolog # syncthing
diff --git a/syncthing/make.sh b/syncthing/make.sh
index bced7d1..38ebc69 100755
--- a/syncthing/make.sh
+++ b/syncthing/make.sh
@@ -78,7 +78,7 @@ sleep ${TIMEOUT:=5}
 		-i /var/lib/syncthing/.config/syncthing/config.xml
 
 echo "# Setup: firewall..."
-@ cp fw/ID.fw /etc/firewall/$ID.fw
+@ cp --backup -i fw/ID.fw /etc/pve/firewall/$ID.fw
 
 echo "# Post config..."
 pctSet $ID "${OPTS_STAGE_2}" $REBOOT