diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 57f4809b4..d71304986 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -701,15 +701,9 @@ sub drop_hostile_networks () {
 	# Call function to load the network list of hostile networks.
 	&ipset_restore($HOSTILE_CCODE);
 
-	# Setup rules to pass traffic which does not belong to a hostile network.
-	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
-	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
-
-	# Setup logging.
-	run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix \"DROP_HOSTILE \"");
-
-	# Drop traffic from/to hostile network.
-        run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");
+	# Check traffic in incoming/outgoing direction and drop if it matches
+	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
+	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
 }
 
 sub get_protocols {
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2c4d3163b..2a70feac2 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -262,10 +262,13 @@ iptables_init() {
 	# Chains for networks known as being hostile, posing a technical threat to our users
 	# (i. e. listed at Spamhaus DROP et al.)
 	iptables -N HOSTILE
-	iptables -A INPUT -i $IFACE -j HOSTILE
-	iptables -A FORWARD -i $IFACE -j HOSTILE
-	iptables -A FORWARD -o $IFACE -j HOSTILE
-	iptables -A OUTPUT -o $IFACE -j HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
 
 	# Tor (inbound)
 	iptables -N TOR_INPUT