diff --git a/package/secubox/secubox-app-cs-firewall-bouncer/Makefile b/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
index 6b961fd7..e9f06633 100644
--- a/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
+++ b/package/secubox/secubox-app-cs-firewall-bouncer/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=secubox-app-cs-firewall-bouncer
 PKG_VERSION:=0.0.31
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 # Source from upstream CrowdSec
 # Note: v0.0.31 is the last version compatible with Go 1.23 (OpenWrt 24.10 SDK)
diff --git a/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd b/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
index d1007bd1..d93a017b 100644
--- a/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
+++ b/package/secubox/secubox-app-cs-firewall-bouncer/files/crowdsec-firewall-bouncer.initd
@@ -194,12 +194,24 @@ init_nftables() {
 			nft add chain ip "$TABLE" $chain_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
 			nft add rule ip "$TABLE" $chain_name-input ct state established,related accept
 			nft add rule ip "$TABLE" $chain_name-input iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip "$TABLE" $chain_name-input ip saddr @crowdsec-blacklists $log_term $deny_action
+			else
+				nft add rule ip "$TABLE" $chain_name-input ip saddr @crowdsec-blacklists $deny_action
+			fi
 		fi
 
 		if [ "$filter_forward" -eq "1" ]; then
 			nft add chain ip "$TABLE" $chain_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
 			nft add rule ip "$TABLE" $chain_name-forward ct state established,related accept
 			nft add rule ip "$TABLE" $chain_name-forward iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip "$TABLE" $chain_name-forward ip saddr @crowdsec-blacklists $log_term $deny_action
+			else
+				nft add rule ip "$TABLE" $chain_name-forward ip saddr @crowdsec-blacklists $deny_action
+			fi
 		fi
 	fi
 
@@ -212,12 +224,24 @@ init_nftables() {
 			nft add chain ip6 "$TABLE6" $chain6_name-input "{ type filter hook input priority $hook_priority; policy accept; }"
 			nft add rule ip6 "$TABLE6" $chain6_name-input ct state established,related accept
 			nft add rule ip6 "$TABLE6" $chain6_name-input iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip6 "$TABLE6" $chain6_name-input ip6 saddr @crowdsec6-blacklists $log_term $deny_action
+			else
+				nft add rule ip6 "$TABLE6" $chain6_name-input ip6 saddr @crowdsec6-blacklists $deny_action
+			fi
 		fi
 
 		if [ "$filter_forward" -eq "1" ]; then
 			nft add chain ip6 "$TABLE6" $chain6_name-forward "{ type filter hook forward priority $hook_priority; policy accept; }"
 			nft add rule ip6 "$TABLE6" $chain6_name-forward ct state established,related accept
 			nft add rule ip6 "$TABLE6" $chain6_name-forward iifname != \{ $interface \} accept
+			# Drop traffic from blacklisted IPs
+			if [ "$deny_log" -eq "1" ]; then
+				nft add rule ip6 "$TABLE6" $chain6_name-forward ip6 saddr @crowdsec6-blacklists $log_term $deny_action
+			else
+				nft add rule ip6 "$TABLE6" $chain6_name-forward ip6 saddr @crowdsec6-blacklists $deny_action
+			fi
 		fi
 	fi
 }