diff --git a/Makefile b/Makefile
index 7766699af76f4f9a8db3e6e2077eade2598558e7..66f1bd68dd0c3657c6e4bdf523c997d7a2c3ac3a 100644
--- a/Makefile
+++ b/Makefile
@@ -7,11 +7,12 @@ sharedir = $(prefix)/share/firewall
 INSTALL = install
 TABLES = filter nat mangle raw
 
-all:
+all: update-firewall
 
 clean:
+	-rm -f update-firewall
 
-install:
+install: all
 	$(INSTALL) -d $(DESTDIR)$(sbindir)
 	$(INSTALL) -d $(DESTDIR)$(sharedir)
 	$(INSTALL) -d $(DESTDIR)$(fwconfdir)
@@ -34,3 +35,6 @@ install:
 	    $(INSTALL) -d $(DESTDIR)$(fwconfdir)/blocked/$$type/$$proto ; \
 	  done ; \
 	done)
+
+%: %.in
+	sed -e s,@PREFIX@,$(prefix),g -e s,@FWCONFDIR@,$(fwconfdir),g $< > $@
diff --git a/update-firewall b/update-firewall.in
similarity index 94%
rename from update-firewall
rename to update-firewall.in
index 5ee9ab34c760d7368468aaddd249a99e71c128da..6fcd3ab8e5e91a73eb4bf0568d4effaa98ab9c04 100755
--- a/update-firewall
+++ b/update-firewall.in
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Directory containing the configuration snippets.
-CONFIG_DIR="${CONFIG_DIR:-/etc/firewall}"
+CONFIG_DIR="${CONFIG_DIR:-@FWCONFDIR@}"
 
 # List of tables to manage.
 TABLES="filter nat mangle raw"
@@ -238,7 +238,16 @@ while [ $# -gt 0 ]; do
     shift
 done
 
+# We need to run update-ipset first, so that we can reference the sets
+# from iptables "-m set" rules.
+if [ -x @PREFIX@/sbin/update-ipset ]; then
+    @PREFIX@/sbin/update-ipset
+    if [ $? -gt 0 ]; then
+        echo "update-ipset failed, aborting..." >&2
+        exit 1
+    fi
+fi
+
 load_firewall
 
-# Execute update-ipset next.
-exec /usr/sbin/update-ipset
+exit 0