Index: src/fw_iptables.c
===================================================================
--- src/fw_iptables.c	(revision 1453)
+++ src/fw_iptables.c	(working copy)
@@ -555,7 +555,11 @@
 					debug(LOG_DEBUG, "%s - Updated counter.outgoing to %llu bytes.  Updated last_updated to %d", ip, counter, p1->counters.last_updated);
 				}
 			} else {
-				debug(LOG_ERR, "Could not find %s in client list", ip);
+				debug(LOG_ERR, "iptables_fw_counters_update(): Could not find %s in client list, this should not happen unless if the gateway crashed", ip);
+				debug(LOG_ERR, "Preventively deleting firewall rules for %s in table %s", ip, TABLE_WIFIDOG_OUTGOING);
+				iptables_fw_destroy_mention("mangle", TABLE_WIFIDOG_OUTGOING, ip);
+				debug(LOG_ERR, "Preventively deleting firewall rules for %s in table %s", ip, TABLE_WIFIDOG_INCOMING);
+				iptables_fw_destroy_mention("mangle", TABLE_WIFIDOG_INCOMING, ip);
 			}
 			UNLOCK_CLIENT_LIST();
 		}
@@ -593,7 +597,11 @@
 					debug(LOG_DEBUG, "%s - Updated counter.incoming to %llu bytes", ip, counter);
 				}
 			} else {
-				debug(LOG_ERR, "Could not find %s in client list", ip);
+				debug(LOG_ERR, "iptables_fw_counters_update(): Could not find %s in client list, this should not happen unless if the gateway crashed", ip);
+				debug(LOG_ERR, "Preventively deleting firewall rules for %s in table %s", ip, TABLE_WIFIDOG_OUTGOING);
+				iptables_fw_destroy_mention("mangle", TABLE_WIFIDOG_OUTGOING, ip);
+				debug(LOG_ERR, "Preventively deleting firewall rules for %s in table %s", ip, TABLE_WIFIDOG_INCOMING);
+				iptables_fw_destroy_mention("mangle", TABLE_WIFIDOG_INCOMING, ip);
 			}
 			UNLOCK_CLIENT_LIST();
 		}
Index: src/auth.c
===================================================================
--- src/auth.c	(revision 1453)
+++ src/auth.c	(working copy)
@@ -106,7 +106,7 @@
 	client = client_list_find_by_ip(r->clientAddr);
 
 	if (client == NULL) {
-		debug(LOG_ERR, "Could not find client for %s", r->clientAddr);
+		debug(LOG_ERR, "authenticate_client(): Could not find client for %s", r->clientAddr);
 		UNLOCK_CLIENT_LIST();
 		return;
 	}
@@ -129,7 +129,7 @@
 	client = client_list_find(r->clientAddr, mac);
 	
 	if (client == NULL) {
-		debug(LOG_ERR, "Could not find client node for %s (%s)", r->clientAddr, mac);
+		debug(LOG_ERR, "authenticate_client(): Could not find client node for %s (%s)", r->clientAddr, mac);
 		UNLOCK_CLIENT_LIST();
 		free(token);
 		free(mac);
@@ -153,7 +153,8 @@
 
 	case AUTH_DENIED:
 		/* Central server said invalid token */
-		debug(LOG_INFO, "Got DENIED from central server authenticating token %s from %s at %s - redirecting them to denied message", client->token, client->ip, client->mac);
+		debug(LOG_INFO, "Got DENIED from central server authenticating token %s from %s at %s - deleting from firewall and redirecting them to denied message", client->token, client->ip, client->mac);
+		fw_deny(client->ip, client->mac, FW_MARK_KNOWN);
 		safe_asprintf(&urlFragment, "%smessage=%s",
 			auth_server->authserv_msg_script_path_fragment,
 			GATEWAY_MESSAGE_DENIED