diff --git a/Makefile b/Makefile
index be10f99..702d59a 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,6 @@ all:
 install:
 		install -d -m 0755 -o root -g root $(DESTDIR)/etc/init.d $(DESTDIR)/etc/rsyslog.d
 		install -d -m 0755 -o root -g root $(DESTDIR)/etc/firewall
-		install    -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall
+		install    -m 0640 -o root -g root $(NAME).conf $(DESTDIR)/etc/firewall/firewall.conf.template
 		install    -m 0640 -o root -g root rsyslog.conf $(DESTDIR)/etc/rsyslog.d
 		install    -m 0755 -o root -g root $(NAME) $(DESTDIR)/etc/init.d
-
diff --git a/README b/README
index 4e298bf..6f99ad2 100644
--- a/README
+++ b/README
@@ -1,6 +1,8 @@
 = Installation =
  * Requrie: rsyslog, logrotate and iptables
  * make install
+ * Move /etc/firewall/firewall.conf.template to /etc/firewall/firewall.conf
+ * Configure /etc/firewall/firewall.conf
 
 = Usage =
 
@@ -10,5 +12,5 @@ Second save this change (this will load your rules and save it):
  /etc/init.d/firewall save
 You need to use save at least one time.
 
-/etc/init.d/firewall stop:  will flush your rules
+/etc/init.d/firewall stop: will flush ALL your rules
 /etc/init.d/firewall start|restore: will load your saved rules
diff --git a/debian/changelog b/debian/changelog
index 025f6f0..5939aed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+eofirewall (0.1-20110623.1) unstable; urgency=low
+
+  * Fix multiple port knocking
+  * Fix config test
+  * Move firewall.conf to firewall.conf.template
+  * Clean start messages
+
+ -- Jérôme Schneider <jschneider@entrouvert.com>  Thu, 23 Jun 2011 13:52:39 +0200
+
 eofirewall (0.1-20110621.3) unstable; urgency=low
 
   * Add an example for the ssh whitelist 
diff --git a/firewall b/firewall
index b03bea3..c625b6a 100755
--- a/firewall
+++ b/firewall
@@ -29,20 +29,33 @@ fi
 
 clean()
 {
-    $IPTABLES -F
-    $IPTABLES -F INPUT
-    $IPTABLES -F OUTPUT
-    $IPTABLES -F FORWARD
-    $IPTABLES -F -t mangle
-    $IPTABLES -F -t nat
-    $IPTABLES -X
+    $IPTABLES -t filter -F
+    $IPTABLES -t filter -X
+
+    $IPTABLES -t filter -P INPUT   ACCEPT
+    $IPTABLES -t filter -P FORWARD ACCEPT
+    $IPTABLES -t filter -P OUTPUT  ACCEPT
+
+    $IPTABLES -t nat -F
+    $IPTABLES -t nat -X
+
+    $IPTABLES -t nat -P PREROUTING  ACCEPT
+    $IPTABLES -t nat -P OUTPUT      ACCEPT
+    $IPTABLES -t nat -P POSTROUTING ACCEPT
+
+    $IPTABLES -t mangle -F
+    $IPTABLES -t mangle -X
+
+    $IPTABLES -t mangle -P PREROUTING  ACCEPT
+    $IPTABLES -t mangle -P INPUT       ACCEPT
+    $IPTABLES -t mangle -P FORWARD     ACCEPT
 }
 
 test_config()
 {
+    # FIXME: test if the interface and the ip exist
     if [ ! "$WAN_INT" -o ! "$IP" ]; then
-        echo "Bad configuration please check your /etc/firewall/firewall.conf"
-        exit 1
+        abort "Bad configuration please check your /etc/firewall/firewall.conf"
     fi
 }
 
@@ -96,8 +109,8 @@ open_port()
         stop && exit 1
     fi
     source=$1
+    echo "+ Open port(s) $ports from $source to $destination for protocol $proto"
     for port in $(echo $ports | sed 's/,/ /g'); do
-        echo "+ Open port $port from $source to $destination for protocol $proto"
         $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT
         critical_return
     done
@@ -121,37 +134,39 @@ port_redirection()
 
 port_knocking()
 {
-    if [ $# != 2 ]; then
+    if [ $# != 3 ]; then
         echo "! Bad syntax for port knocking : $*"
         return
     fi
 
     port=$1
     knock_ports=$2
-    i=0
+    knock_number=$3
 
+    i=0
     for kport in $(echo $knock_ports | sed 's/,/ /g'); do
         ((i++))
+        tock_number=$knock_number$i
         if [ $i -gt 1 ]; then
-            iptables -N toc$i
-            iptables -A toc$i -m recent --name toc$(($i-1)) --remove
-            iptables -A toc$i -m recent --name toc$i --set
-            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$(($i-1)) -j toc$i
+            iptables -N toc${tock_number}
+            iptables -A toc${tock_number} -m recent --name toc$((${tock_number}-1)) --remove
+            iptables -A toc${tock_number} -m recent --name toc${tock_number} --set
+            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name toc$((${tock_number}-1)) -j toc${tock_number}
         else
-            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc$i
+            iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number}
         fi
     done
-    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc$i -m state --state NEW -j ACCEPT
+    echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT"
+    iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT
 }
 
 start()
 {
     echo "Starting: Firewall"
+    test_config
     modprobe ip_conntrack
     clean
 
-    test_config
-
     # default policies
     $IPTABLES -P INPUT DROP
     $IPTABLES -P FORWARD DROP
@@ -187,31 +202,23 @@ start()
    fi
 
     ## block spoofing
-    echo "+ Block spoofing"
+    echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
     echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
-
     ## NMAP FIN/URG/PSH
-    echo "+ Block scan ports"
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-
     ## stop Xmas Tree type scanning
-    echo "+ Block Xmas Tree"
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL ALL -j DROP
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "iptables: Xmas tree: " --log-level 4
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-
     ## stop null scanning
-    echo "+ Block null scanning"
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables: Null scanning: " --log-level 4
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL NONE -j DROP
     ## SYN/RST
-    echo "+ Block SYN/RST"
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "iptables: SYN/RST: " --log-level 4
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
     ## SYN/FIN
-    echo "+ Block SYN/FIN"
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "iptables: SYN/FIN: " --log-level 4
     $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 
@@ -246,8 +253,10 @@ start()
     done
 
     ## Port knocking
+    j=1
     for args in "${PORT_KNOCK[@]}"; do
-        port_knocking $args
+        port_knocking $args $j
+        ((j++))
     done
 
     ## Port forwading
@@ -291,26 +300,7 @@ start()
 stop()
 {
     echo "+ Firewall stoped"
-    $IPTABLES -t filter -F
-    $IPTABLES -t filter -X
-
-    $IPTABLES -t filter -P INPUT   ACCEPT
-    $IPTABLES -t filter -P FORWARD ACCEPT
-    $IPTABLES -t filter -P OUTPUT  ACCEPT
-
-    $IPTABLES -t nat -F
-    $IPTABLES -t nat -X
-
-    $IPTABLES -t nat -P PREROUTING  ACCEPT
-    $IPTABLES -t nat -P OUTPUT      ACCEPT
-    $IPTABLES -t nat -P POSTROUTING ACCEPT
-
-    $IPTABLES -t mangle -F
-    $IPTABLES -t mangle -X
-
-    $IPTABLES -t mangle -P PREROUTING  ACCEPT
-    $IPTABLES -t mangle -P INPUT       ACCEPT
-    $IPTABLES -t mangle -P FORWARD     ACCEPT
+    clean
 }
 
 case "$1" in