diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 8e1e8fed6..c84ab5d52 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -36,13 +36,23 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
     done
 fi
 
-# first setup any user IP block lists
 ipset create cloudron_ldap_allowlist hash:net || true
-/home/yellowtent/box/src/scripts/setldapallowlist.sh
+ipset flush cloudron_ldap_allowlist
 
-# ldap server we expose 3004 and also redirect from standard ldaps port 636
-iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
-iptables -t filter -A CLOUDRON -m set --match-set cloudron_ldap_allowlist src -p tcp --dport 3004 -j ACCEPT
+ldap_allowlist_json="/home/yellowtent/platformdata/firewall/ldap_allowlist.txt"
+if [[ -f "${ldap_allowlist_json}" ]]; then
+
+    # without the -n block, any last line without a new line won't be read it!
+    while read -r line || [[ -n "$line" ]]; do
+        [[ -z "${line}" ]] && continue # ignore empty lines
+        [[ "$line" =~ ^#.*$ ]] && continue # ignore lines starting with #
+        ipset add -! cloudron_ldap_allowlist "${line}" # the -! ignore duplicates
+    done < "${ldap_allowlist_json}"
+
+    # ldap server we expose 3004 and also redirect from standard ldaps port 636
+    iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
+    iptables -t filter -A CLOUDRON -m set --match-set cloudron_ldap_allowlist src -p tcp --dport 3004 -j ACCEPT
+fi
 
 # turn and stun service
 iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
diff --git a/src/scripts/setldapallowlist.sh b/src/scripts/setldapallowlist.sh
index 193935209..19fa1a35f 100755
--- a/src/scripts/setldapallowlist.sh
+++ b/src/scripts/setldapallowlist.sh
@@ -14,15 +14,4 @@ fi
 
 [[ "${BOX_ENV}" == "test" ]] && exit
 
-ipset flush cloudron_ldap_allowlist
-
-ldap_allowlist_json="/home/yellowtent/platformdata/firewall/ldap_allowlist.txt"
-
-if [[ -f "${ldap_allowlist_json}" ]]; then
-    # without the -n block, any last line without a new line won't be read it!
-    while read -r line || [[ -n "$line" ]]; do
-        [[ -z "${line}" ]] && continue # ignore empty lines
-        [[ "$line" =~ ^#.*$ ]] && continue # ignore lines starting with #
-        ipset add -! cloudron_ldap_allowlist "${line}" # the -! ignore duplicates
-    done < "${ldap_allowlist_json}"
-fi
+systemctl restart cloudron-firewall
diff --git a/src/settings.js b/src/settings.js
index 0399281ca..be104bbb5 100644
--- a/src/settings.js
+++ b/src/settings.js
@@ -516,15 +516,20 @@ async function setExposedLdapConfig(exposedLdapConfig) {
     const config = {
         enabled: exposedLdapConfig.enabled,
         // if list is empty, we allow all IPs
-        allowlist: exposedLdapConfig.allowlist || '0.0.0.0/0'
+        allowlist: exposedLdapConfig.allowlist || ''
     };
 
     if (config.enabled) {
+        let gotOne = false;
         for (const line of exposedLdapConfig.allowlist.split('\n')) {
             if (!line || line.startsWith('#')) continue;
             const rangeOrIP = line.trim();
             if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
+            gotOne = true;
         }
+
+        // only allow if we at least have one allowed IP/range
+        if (!gotOne) throw new BoxError(BoxError.BAD_FIELD, 'allowlist must at least contain one IP or range');
     }
 
     await set(exports.EXPOSED_LDAP_KEY, JSON.stringify(config));