diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1afc4f9f..42247241 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,7 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * evolinux-base: backup-server-state release 22.03.5
 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware
 * generate-ldif: Add services check for bkctld
-* minifirewall: upstream release 22.03.3 and use includes directory
+* minifirewall: upstream release 22.03.4
 * openvpn: use a subnet topology instead of the net30 default topology
 
 ### Fixed
diff --git a/minifirewall/files/minifirewall b/minifirewall/files/minifirewall
index 9e8ff67f..cb707673 100755
--- a/minifirewall/files/minifirewall
+++ b/minifirewall/files/minifirewall
@@ -28,7 +28,7 @@
 # Description:       Firewall designed for standalone server
 ### END INIT INFO
 
-VERSION="22.03.3"
+VERSION="22.03.4"
 
 NAME="minifirewall"
 # shellcheck disable=SC2034
@@ -97,6 +97,21 @@ BACKUPSERVERS=''
 
 LEGACY_CONFIG='off'
 
+## pseudo dry-run :
+## Uncomment and call these functions instead of the real iptables and ip6tables commands
+# IPT="fake_iptables"
+# IPT6="fake_ip6tables"
+# fake_iptables() {
+#     printf "DRY-RUN iptables %s\n" "$*"
+# }
+# fake_ip6tables() {
+#     printf "DRY-RUN ip6tables %s\n" "$*"
+# }
+## Beware that commands executed from included files are not modified by this trick.
+
+sort_values() {
+    echo "$*" | tr ' ' '\n' | sort -h
+}
 is_ipv6_enabled() {
     test "${IPV6}" != "off"
 }
@@ -303,6 +318,31 @@ start() {
     # * from configuration directory (/etc/minifirewall.d/*)
     source_includes
 
+    # IP/ports lists are sorted to have consistent ordering
+    # You can disable this feature by simply commenting the following lines
+    LOOPBACK=$(sort_values ${LOOPBACK})
+    INTLAN=$(sort_values ${INTLAN})
+    TRUSTEDIPS=$(sort_values ${TRUSTEDIPS})
+    PRIVILEGIEDIPS=$(sort_values ${PRIVILEGIEDIPS})
+    SERVICESTCP1p=$(sort_values ${SERVICESTCP1p})
+    SERVICESUDP1p=$(sort_values ${SERVICESUDP1p})
+    SERVICESTCP1=$(sort_values ${SERVICESTCP1})
+    SERVICESUDP1=$(sort_values ${SERVICESUDP1})
+    SERVICESTCP2=$(sort_values ${SERVICESTCP2})
+    SERVICESUDP2=$(sort_values ${SERVICESUDP2})
+    SERVICESTCP3=$(sort_values ${SERVICESTCP3})
+    SERVICESUDP3=$(sort_values ${SERVICESUDP3})
+    DNSSERVEURS=$(sort_values ${DNSSERVEURS})
+    HTTPSITES=$(sort_values ${HTTPSITES})
+    HTTPSSITES=$(sort_values ${HTTPSSITES})
+    FTPSITES=$(sort_values ${FTPSITES})
+    SSHOK=$(sort_values ${SSHOK})
+    SMTPOK=$(sort_values ${SMTPOK})
+    SMTPSECUREOK=$(sort_values ${SMTPSECUREOK})
+    NTPOK=$(sort_values ${NTPOK})
+    PROXYBYPASS=$(sort_values ${PROXYBYPASS})
+    BACKUPSERVERS=$(sort_values ${BACKUPSERVERS})
+
     # Trusted ip addresses
     ${IPT} -N ONLYTRUSTED
     ${IPT} -A ONLYTRUSTED -j LOG_DROP