diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index 8d20cde7f..26bdd05d7 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -709,6 +709,29 @@ PKTTYPE=Yes
 
 RFC1918_STRICT=No
 
+#
+# MAC List Table
+#
+# Normally, MAC verification occurs in the filter table (INPUT and FORWARD)
+# chains. When forwarding a packet from an interface with MAC verification
+# to a bridge interface, that doesn't work.
+#
+# These problems can be worked around by setting MACLIST_TABLE=mangle which
+# will cause Mac verification to occur out of the PREROUTING chain. Because
+# REJECT isn't available in that environment, you may not specify
+# MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle.
+
+MACLIST_TABLE=filter
+
+
+#
+# These problems can be worked around by setting MACLIST_TABLE=mangle which
+# will cause Mac verification to occur out of the PREROUTING chain. Because
+# REJECT isn't available in that environment, you may not specify
+# MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle.
+
+MACLIST_TABLE=filter
+
 #
 # MACLIST caching
 #
@@ -788,20 +811,6 @@ FASTACCEPT=No
 
 BLACKLIST_DISPOSITION=DROP
 
-#
-# MAC List Table
-#
-# Normally, MAC verification occurs in the filter table (INPUT and FORWARD)
-# chains. In some configurations, users have reported problems with MAC
-# verification of forwarded packets.
-#
-# These problems can be worked around by setting MACLIST_TABLE=mangle which
-# will cause Mac verification to occur out of the PREROUTING chain. Because
-# REJECT isn't available in that environment, you may not specify
-# MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle.
-
-MACLIST_TABLE=filter
-
 #
 # MAC List Disposition
 #
@@ -812,7 +821,7 @@ MACLIST_TABLE=filter
 # empty (MACLIST_DISPOSITION="") then REJECT is assumed
 #
 
-MACLIST_DISPOSITION=REJECT
+MACLIST_DISPOSITION=DROP
 
 #
 # TCP FLAGS Disposition