diff --git a/common/setup_ip b/common/setup_ip
index ad42cf4..43d1439 100755
--- a/common/setup_ip
+++ b/common/setup_ip
@@ -19,6 +19,7 @@ if [ x$ip != x ]; then
 		echo "NS1=$gateway" > /var/run/qubes/qubes_ns
 		echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
 		/usr/lib/qubes/qubes_setup_dnat_to_ns
+		[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
 	fi
 
 fi
diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall
index 13f5ba2..5a60a07 100755
--- a/proxyvm/bin/qubes_firewall
+++ b/proxyvm/bin/qubes_firewall
@@ -13,11 +13,20 @@ echo $$ >$PIDFILE
 trap 'exit 0' SIGTERM
 
 while true; do
+
+	echo "1" > /proc/sys/net/ipv4/ip_forward
+
 	# Wait for changes in xenstore file
 	/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
 	TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
 
 	if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
+
+	# Disable forarding to prevent potential "leaks" that might
+	# be bypassing the firewall or some proxy service (e.g. tor)
+	# during the time when the rules are being (re)applied
+	echo "0" > /proc/sys/net/ipv4/ip_forward
+
 	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER)
 	IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
 	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
@@ -31,8 +40,7 @@ while true; do
 	if [ "$OUT" ]; then
 		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
 	fi
-	if [[ -z "$OUT" ]]; then
-		# If OK save it for later
-		/sbin/service iptables save >/dev/null
-	fi
+
+	# Check if user didn't define some custom rules to be applied as well...
+	[ -x /rw/config/qubes_firewall_user_script ] && /rw/config/qubes_firewall_user_script
 done