diff --git a/inventory/group_vars/nagios-new b/inventory/group_vars/nagios-new
index ec7ce0b65d..faec180c8f 100644
--- a/inventory/group_vars/nagios-new
+++ b/inventory/group_vars/nagios-new
@@ -165,36 +165,27 @@ phx2_management_slowping:
   - ppc8-03-fsp.mgmt.fedoraproject.org
 
 phx2_external:
+  - admin.stg.fedoraproject.org
+  - autoqa.fedoraproject.org
+  - bastion-comm01.fedoraproject.org
   - bastion01.fedoraproject.org
   - bastion02.fedoraproject.org
-  - pkgs.fedoraproject.org
-  - stg.fedoraproject.org
-  - puppet.fedoraproject.org
-  - koji.fedoraproject.org
-  - secondary1.fedoraproject.org
-  - autoqa-stg.fedoraproject.org
-  - kojipkgs.fedoraproject.org
-  - pkgs.stg.fedoraproject.org
-  - bastion-comm01.fedoraproject.org
-  - admin.stg.fedoraproject.org
-  - proxy10.fedoraproject.org
-  - proxy01.fedoraproject.org
-  - ns04.fedoraproject.org
-  - koji.stg.fedoraproject.org
   - dl01.fedoraproject.org
   - dl02.fedoraproject.org
   - dl03.fedoraproject.org
   - dl04.fedoraproject.org
   - dl05.fedoraproject.org
+  - koji.fedoraproject.org
+  - koji.stg.fedoraproject.org
+  - kojipkgs.fedoraproject.org
+  - ns04.fedoraproject.org
+  - pkgs.fedoraproject.org
+  - pkgs01.stg.fedoraproject.org
+  - proxy01.fedoraproject.org
+  - proxy10.fedoraproject.org
+  - puppet.fedoraproject.org
   - retrace01.fedoraproject.org
-  - autoqa.fedoraproject.org
-  - qadevel.fedoraproject.org
-  - fas.fedoraproject.org
-  - ppc-composer.qa.fedoraproject.org
   - retrace02.fedoraproject.org
-  - noc01.fedoraproject.org
-  - beaker.fedoraproject.org
-  - master.centos.org
-  - qadevel-stg.fedoraproject.org
-  - qadevel-stg.qa.fedoraproject.org
-  - centos02-phx.centos.org
+  - secondary01.fedoraproject.org
+  - secondarykoji.fedoraproject.org
+  - stg.fedoraproject.org
diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables
index 778599abc7..921435cd0a 100644
--- a/roles/base/templates/iptables/ip6tables
+++ b/roles/base/templates/iptables/ip6tables
@@ -27,6 +27,9 @@
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
+# for nrpe (if we want noc02 to be able to get into remote systems)
+#-A INPUT -p tcp -m tcp --dport 5666 -s 2610:28:3090:3001:dead:beef:cafe:fed9 -j ACCEPT
+
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
 {% for port in tcp_ports %}