diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 3809dca7d..f6da14ea6 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -3622,6 +3622,7 @@ reject_command() {
 
 blacklist_command() {
     local family
+    local timeout
 
     [ $# -gt 0 ] || fatal_error "Missing address"
 
@@ -3639,7 +3640,9 @@ blacklist_command() {
 	    ;;
     esac
 
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
@@ -3908,8 +3911,26 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
     esac
@@ -4458,6 +4479,7 @@ shorewall_cli() {
     g_disconnect=
     g_havemutex=
     g_trace=
+    g_dbltimeout=
 
     VERBOSE=
     VERBOSITY=1
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 69cae8c21..c1f8ab626 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8890,7 +8890,7 @@ sub ensure_ipsets( @ ) {
     my $set;
     my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8901,12 +8901,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}
 
 	pop_indent;