diff --git a/cmd/gluetun/main.go b/cmd/gluetun/main.go
index 5aef6013..b90e74c8 100644
--- a/cmd/gluetun/main.go
+++ b/cmd/gluetun/main.go
@@ -175,6 +175,50 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return err
 	}
 
+	// Note: no need to validate minimal settings for the firewall:
+	// - global log level is parsed from source
+	// - firewall Debug and Enabled are booleans parsed from source
+
+	logger.PatchLevel(*allSettings.Log.Level)
+
+	routingLogger := logger.NewChild(logging.Settings{
+		Prefix: "routing: ",
+	})
+	if *allSettings.Firewall.Debug { // To remove in v4
+		routingLogger.PatchLevel(logging.LevelDebug)
+	}
+	routingConf := routing.New(netLinker, routingLogger)
+
+	defaultInterface, defaultGateway, err := routingConf.DefaultRoute()
+	if err != nil {
+		return err
+	}
+
+	localNetworks, err := routingConf.LocalNetworks()
+	if err != nil {
+		return err
+	}
+
+	defaultIP, err := routingConf.DefaultIP()
+	if err != nil {
+		return err
+	}
+
+	firewallLogger := logger.NewChild(logging.Settings{
+		Prefix: "firewall: ",
+	})
+	if *allSettings.Firewall.Debug { // To remove in v4
+		firewallLogger.PatchLevel(logging.LevelDebug)
+	}
+	firewallConf := firewall.NewConfig(firewallLogger, cmder,
+		defaultInterface, defaultGateway, localNetworks, defaultIP)
+	if *allSettings.Firewall.Enabled {
+		err = firewallConf.SetEnabled(ctx, true)
+		if err != nil {
+			return err
+		}
+	}
+
 	// TODO run this in a loop or in openvpn to reload from file without restarting
 	storageLogger := logger.NewChild(logging.Settings{Prefix: "storage: "})
 	storage, err := storage.New(storageLogger, constants.ServersData)
@@ -189,8 +233,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return err
 	}
 
-	logger.PatchLevel(*allSettings.Log.Level)
-
 	allSettings.Pprof.HTTPServer.Logger = logger
 	pprofServer, err := pprof.New(allSettings.Pprof)
 	if err != nil {
@@ -250,38 +292,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return err
 	}
 
-	firewallLogLevel := *allSettings.Log.Level
-	if *allSettings.Firewall.Debug {
-		firewallLogLevel = logging.LevelDebug
-	}
-	routingLogger := logger.NewChild(logging.Settings{
-		Prefix: "routing: ",
-		Level:  firewallLogLevel,
-	})
-	routingConf := routing.New(netLinker, routingLogger)
-
-	defaultInterface, defaultGateway, err := routingConf.DefaultRoute()
-	if err != nil {
-		return err
-	}
-
-	localNetworks, err := routingConf.LocalNetworks()
-	if err != nil {
-		return err
-	}
-
-	defaultIP, err := routingConf.DefaultIP()
-	if err != nil {
-		return err
-	}
-
-	firewallLogger := logger.NewChild(logging.Settings{
-		Prefix: "firewall: ",
-		Level:  firewallLogLevel,
-	})
-	firewallConf := firewall.NewConfig(firewallLogger, cmder,
-		defaultInterface, defaultGateway, localNetworks, defaultIP)
-
 	if err := routingConf.Setup(); err != nil {
 		if strings.Contains(err.Error(), "operation not permitted") {
 			logger.Warn("💡 Tip: Are you passing NET_ADMIN capability to gluetun?")
@@ -311,13 +321,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		}
 	}
 
-	if *allSettings.Firewall.Enabled {
-		err := firewallConf.SetEnabled(ctx, true) // disabled by default
-		if err != nil {
-			return err
-		}
-	}
-
 	for _, port := range allSettings.Firewall.InputPorts {
 		err = firewallConf.SetAllowedPort(ctx, port, defaultInterface)
 		if err != nil {