diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 96b9b2fe5..4ba1ace8c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
 	true,MODE1) ;;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 837178110..7a18502bf 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -120,10 +120,10 @@ iptables_init() {
 	iptables -N IPTVFORWARD
 	iptables -A FORWARD -j IPTVFORWARD
 
-	# filtering from GUI
-	iptables -N GUIINPUT
-	iptables -A INPUT -j GUIINPUT
-	iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+	# Allow to ping the firewall.
+	iptables -N ICMPINPUT
+	iptables -A INPUT -j ICMPINPUT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
 	# Accept everything on loopback
 	iptables -N LOOPBACK
@@ -179,7 +179,10 @@ iptables_init() {
 	iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# localhost and ethernet.
-	iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+	# Always allow accessing the web GUI from GREEN.
+	iptables -N GUIINPUT
+	iptables -A INPUT -j GUIINPUT
+	iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
 
 	# WIRELESS chains
 	iptables -N WIRELESSINPUT