diff --git a/sshuttle/firewall.py b/sshuttle/firewall.py
index ced6e05..32df204 100644
--- a/sshuttle/firewall.py
+++ b/sshuttle/firewall.py
@@ -47,8 +47,11 @@ def rewrite_etc_hosts(hostmap, port):
     os.rename(tmpname, HOSTSFILE)
 
 
-def restore_etc_hosts(port):
-    rewrite_etc_hosts({}, port)
+def restore_etc_hosts(hostmap, port):
+    # Only restore if we added hosts to /etc/hosts previously.
+    if len(hostmap) > 0:
+        debug2('firewall manager: undoing /etc/hosts changes.\n')
+        rewrite_etc_hosts({}, port)
 
 
 # Isolate function that needs to be replaced for tests
@@ -275,8 +278,8 @@ def main(method_name, syslog):
                 debug2('An error occurred, ignoring it.')
 
         try:
-            debug2('firewall manager: undoing /etc/hosts changes.\n')
-            restore_etc_hosts(port_v6 or port_v4)
+            # debug2() message printed in restore_etc_hosts() function.
+            restore_etc_hosts(hostmap, port_v6 or port_v4)
         except BaseException:
             try:
                 debug1("firewall manager: "
diff --git a/tests/client/test_firewall.py b/tests/client/test_firewall.py
index e293be4..d19839b 100644
--- a/tests/client/test_firewall.py
+++ b/tests/client/test_firewall.py
@@ -55,7 +55,7 @@ def test_rewrite_etc_hosts(tmpdir):
         assert line == ""
 
     with patch('sshuttle.firewall.HOSTSFILE', new=str(new_hosts)):
-        sshuttle.firewall.restore_etc_hosts(10)
+        sshuttle.firewall.restore_etc_hosts(hostmap, 10)
     assert orig_hosts.computehash() == new_hosts.computehash()