diff --git a/CHANGELOG b/CHANGELOG
index 2500a1f..20c4908 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -15,6 +15,7 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 
 * use long options in some places
 * output is normalized
+* source legacy config after macros but before DROP policy
 
 ### Deprecated
 
diff --git a/minifirewall b/minifirewall
index d6019d9..6f6ce42 100755
--- a/minifirewall
+++ b/minifirewall
@@ -842,6 +842,10 @@ start() {
         ${IPT6} -A INPUT -p icmpv6 -j ACCEPT
     fi
 
+    # source config file for remaining commands
+    if is_legacy_config; then
+        source_file_or_error "${config_file}"
+    fi
 
     # IPTables policy
     #################
@@ -878,10 +882,6 @@ start() {
         ${IPT6} -A OUTPUT -p udp -j DROP
     fi
 
-    if is_legacy_config; then
-        source_file_or_error "${config_file}"
-    fi
-
     # Finish
     ########################