diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00369813..a1b3595d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ The **patch** part changes incrementally at each release.
 * squid: minifirewall main file is configurable
 
 ### Changed
+* minifirewall: compare config before/after (for restart condition)
 * squid: better replacement in minifirewall config
 
 ### Fixed
diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml
index 09225cee..96d2120f 100644
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@@ -7,6 +7,11 @@
     var: minifirewall_privilegied_ips
     verbosity: 1
 
+- name: Stat minifirewall config file (before)
+  stat:
+    path: "{{ minifirewall_main_file }}"
+  register: minifirewall_before
+
 - name: Check if minifirewall is running
   shell: /sbin/iptables -L -n | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
   changed_when: False
@@ -115,6 +120,11 @@
     state: absent
   when: evomaintenance_hosts != []
 
+- name: Stat minifirewall config file (after)
+  stat:
+    path: "{{ minifirewall_main_file }}"
+  register: minifirewall_after
+
 - name: restart minifirewall
   # service:
   #   name: minifirewall
@@ -126,7 +136,7 @@
   when:
     - minifirewall_restart_if_needed
     - minifirewall_is_running.rc == 0
-    - (minifirewall_config_ips | changed or minifirewall_config_ports | changed)
+    - minifirewall_before.stat.checksum != minifirewall_after.stat.checksum
 
 - name: restart minifirewall (noop)
   meta: noop