diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 8543efcd6..3546ff5c2 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -40,10 +40,12 @@ $ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist6 src -j D
 $ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP # there is no DOCKER-USER chain in ip6tables, bug?
 
 # allow related and establisted connections
+echo "==> Opening standard ports"
 ipxtables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
 ipxtables -t filter -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,80,202,443 -j ACCEPT # 202 is the alternate ssh port
 
 # whitelist any user ports. we used to use --dports but it has a 15 port limit (XT_MULTI_PORTS)
+echo "==> Opening up user specified ports"
 ports_json="/home/yellowtent/platformdata/firewall/ports.json"
 if allowed_tcp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_json}', 'utf8')).allowed_tcp_ports.join(' '))" 2>/dev/null); then
     for p in $allowed_tcp_ports; do
@@ -58,6 +60,7 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
 fi
 
 # LDAP user directory allow list
+echo "==> Configuring LDAP allow list"
 if ! ipset list cloudron_ldap_allowlist >/dev/null 2>&1; then
     echo "==> Creating the cloudron_ldap_allowlist ipset"
     ipset create cloudron_ldap_allowlist hash:net
@@ -95,11 +98,13 @@ if [[ -f "${ldap_allowlist_json}" ]]; then
 fi
 
 # turn and stun service
+echo "==> Opening ports for TURN and STUN"
 ipxtables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
 ipxtables -t filter -A CLOUDRON -p udp -m multiport --dports 3478,5349 -j ACCEPT
 ipxtables -t filter -A CLOUDRON -p udp -m multiport --dports 50000:51000 -j ACCEPT
 
 # ICMPv6 is very fundamental to IPv6 connectivity unlike ICMPv4
+echo "==> Allow ICMP"
 $iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-request -j ACCEPT
 $iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-reply -j ACCEPT
 $ip6tables -t filter -A CLOUDRON -p ipv6-icmp -j ACCEPT
@@ -113,14 +118,17 @@ ipxtables -t filter -A CLOUDRON -m limit --limit 2/min -j LOG --log-prefix "Pack
 ipxtables -t filter -A CLOUDRON -j DROP
 
 # prepend our chain to the filter table
+echo "==> Adding cloudron chain"
 $iptables -t filter -C INPUT -j CLOUDRON 2>/dev/null || $iptables -t filter -I INPUT -j CLOUDRON
 $ip6tables -t filter -C INPUT -j CLOUDRON 2>/dev/null || $ip6tables -t filter -I INPUT -j CLOUDRON
 
 # Setup rate limit chain (the recent info is at /proc/net/xt_recent)
+echo "==> Setup rate limit chain"
 ipxtables -t filter -N CLOUDRON_RATELIMIT || true
 ipxtables -t filter -F CLOUDRON_RATELIMIT # empty any existing rules
 
 # log dropped incoming. keep this at the end of all the rules
+echo "==> Setup logging"
 ipxtables -t filter -N CLOUDRON_RATELIMIT_LOG || true
 ipxtables -t filter -F CLOUDRON_RATELIMIT_LOG # empty any existing rules
 ipxtables -t filter -A CLOUDRON_RATELIMIT_LOG -m limit --limit 2/min -j LOG --log-prefix "IPTables RateLimit: " --log-level 7