diff --git a/bin/ports-unblock.sh b/bin/ports-unblock.sh
index 2c4220e..63cfe5b 100755
--- a/bin/ports-unblock.sh
+++ b/bin/ports-unblock.sh
@@ -43,46 +43,47 @@ saddr $CLUSTER proto tcp dport 8301 ACCEPT;
 
 # locator UDP port for archive website
 saddr $CLUSTER proto udp sport 8010 ACCEPT;
+' |grep -E -v '^#' |sudo tee /etc/ferm/input/nomad.conf
+
+
+INTRA=/etc/ferm/input/nomad-intra.conf
+echo '
+# @see https://github.com/internetarchive/hind/blob/main/bin/ports-unblock.sh
 
+# ===== INTERNALLY OPEN ===================================================================
+
+# For webapps with 2+ containers that need to talk to each other.
+# We want to allow internal access to the IP addressed "high ports" -- but not the public:
+proto tcp mod conntrack ctorigsrc $CLUSTER     mod conntrack ctorigdstport 20000:45000 ACCEPT;
+proto tcp mod conntrack ctorigsrc 10.88.0.0/16 mod conntrack ctorigdstport 20000:45000 ACCEPT;
+proto tcp                                      mod conntrack ctorigdstport 20000:45000 DROP;
 
 saddr      $CLUSTER proto tcp dport 20000:45000 ACCEPT;
 saddr 172.17.0.0/16 proto tcp dport 20000:45000 ACCEPT;
 saddr  10.88.0.0/16 proto tcp dport 20000:45000 ACCEPT;
                     proto tcp dport 20000:45000 REJECT;
 
-' |grep -E -v '^#' |sudo tee /etc/ferm/input/nomad.conf
+' |grep -E -v '^#' |sudo tee $INTRA
 
-set -x
 
+(
+  echo '
+# @see https://github.com/internetarchive/hind/blob/main/bin/ports-unblock.sh
 
-# xxx work w/ A to make `ferm.conf` changes stick
-
-# change/ensure Chain FORWARD default policy to be DROP
-# sudo iptables -P FORWARD ACCEPT # DROP
+chain (CNI-FORWARD FORWARD) @preserve;
 
+chain CNI-ADMIN {'
+  cat $INTRA
+  echo '
+}'
+) |sudo tee /etc/ferm/admin.conf
 
-# override to stock: /usr/share/containers/containers.conf
-echo 'netns = "host"' > /etc/containers/containers.conf
 
 
-CNI=$(echo '
-# ===== INTERNALLY OPEN ===================================================================
-# For webapps with 2+ containers that need to talk to each other.
-# The requesting/client IP addresses will be in the internal docker range of IP addresses.
-#   Alternatively:   ( https://serverfault.com/a/1095754 )
-#   iptables -I CNI-ADMIN -i eth0 -m conntrack --ctdir ORIGINAL -j DROP
-
-chain CNI-ADMIN {
-  saddr      $CLUSTER proto tcp dport 20000:45000 ACCEPT;
-  saddr 172.17.0.0/16 proto tcp dport 20000:45000 ACCEPT;
-  saddr  10.88.0.0/16 proto tcp dport 20000:45000 ACCEPT;
-                      proto tcp dport 20000:45000 REJECT;
-}' |grep -E -v '^#' |tr -d '\n' |tr -s ' ')
-
+set -x
 
-CONF=/etc/ferm/ferm.conf
-sudo sed -i 's/chain .DOCKER.*/CNI-ADMIN {} chain (CNI-FORWARD FORWARD) @preserve;/' $CONF
-sudo sed -i 's=CNI-ADMIN {}='$CNI'=' $CONF
+# xxx work w/ A to make `ferm.conf` changes stick
+sudo sed -i "s/table filter\s*{\s*\$/table filter { @include 'admin.conf';/" /etc/ferm/ferm.conf
 
 sudo service ferm reload