diff --git a/contestops/configure-machines.sh b/contestops/configure-machines.sh
index c3d8fd6..6e2f61e 100755
--- a/contestops/configure-machines.sh
+++ b/contestops/configure-machines.sh
@@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts
 
 # Configure firewall.
 parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf
-parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service
-# For some unknown reason nft gets stuck the first time it is run.
-parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service
+parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service
 
 # Uncomment these lines if machines have 4K displays. This scales display to 2x.
 # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py
diff --git a/contestops/readme.md b/contestops/readme.md
index 14a3f5d..d0a392b 100644
--- a/contestops/readme.md
+++ b/contestops/readme.md
@@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`.
 Edit `contest-lock.json` to fill in the title and start time of the contest.
 
 Apply the configuration to machines.
-If the script gets stuck, press Ctrl+C and run it again.
 
 ```bash
 ./configure-machines.sh
diff --git a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
index e65b6fd..c8c0dea 100755
--- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
+++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
@@ -28,3 +28,6 @@ systemctl disable kexec.service
 
 # Restrict access to the config which contains the WiFi password.
 chmod og= /etc/NetworkManager/system-connections/contest.nmconnection
+
+# Enable firewall.
+systemctl enable nftables.service
diff --git a/os/layers/contestant/includes.chroot/etc/nftables.conf b/os/layers/contestant/includes.chroot/etc/nftables.conf
new file mode 100644
index 0000000..190685b
--- /dev/null
+++ b/os/layers/contestant/includes.chroot/etc/nftables.conf
@@ -0,0 +1,19 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+    # Add a rule which references conntrack, to make sure that conntrack is
+    # already enabled when we activate a restrictive ruleset.
+    ct state { established, related } accept
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+    ct state { established, related } accept
+	}
+}