diff --git a/config/action.d/allow-iptables-multiport.conf b/config/action.d/allow-iptables-multiport.conf
deleted file mode 100644
index 6f9ffd71..00000000
--- a/config/action.d/allow-iptables-multiport.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-# Fail2Ban configuration file for allowing hosts
-#
-# WARNING
-# Please be aware that all users behind NAT will access the service on the specified port.
-# You should protect this service with another jail that has very long bantime.
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed once at the start of Fail2Ban.
-# Values:  CMD
-#
-actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j <blocktype>
-              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD
-#
-actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             iptables -F f2b-<name>
-             iptables -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = iptables -I f2b-<name> 1 -s <ip> -j <allowtype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = iptables -D f2b-<name> -s <ip> -j <allowtype>
-
-[Init]
-
-# Option: allowtype
-# Notes: ACCEPT skips other chains
-# Value: [ RETURN | ACCEPT ]
-#
-allowtype = RETURN
-
-# Author: Viktor Szépe
diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf
index b30404d3..9e2d18a3 100644
--- a/config/action.d/iptables-allports.conf
+++ b/config/action.d/iptables-allports.conf
@@ -18,7 +18,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -p <protocol> -j f2b-<name>
 
 # Option:  actionstop
diff --git a/config/action.d/iptables-common.conf b/config/action.d/iptables-common.conf
index c191c5a1..dff01362 100644
--- a/config/action.d/iptables-common.conf
+++ b/config/action.d/iptables-common.conf
@@ -43,3 +43,9 @@ protocol = tcp
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
+
+# Option:  returntype
+# Note:    This is the default rule on "actionstart". This should be RETURN
+#          in all (blocking) actions, except REJECT in allowing actions.
+# Values:  STRING
+returntype = RETURN
diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf
index f4d80d6c..093ce7b2 100644
--- a/config/action.d/iptables-multiport-log.conf
+++ b/config/action.d/iptables-multiport-log.conf
@@ -20,7 +20,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
               iptables -N f2b-<name>-log
               iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf
index b70baf92..f365d917 100644
--- a/config/action.d/iptables-multiport.conf
+++ b/config/action.d/iptables-multiport.conf
@@ -15,7 +15,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
 
 # Option:  actionstop
diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf
index 3c6657d9..831931dd 100644
--- a/config/action.d/iptables-new.conf
+++ b/config/action.d/iptables-new.conf
@@ -17,7 +17,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
 
 # Option:  actionstop
diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf
index a956fc55..572bdc11 100644
--- a/config/action.d/iptables.conf
+++ b/config/action.d/iptables.conf
@@ -15,7 +15,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
 
 # Option:  actionstop
diff --git a/config/jail.conf b/config/jail.conf
index ca0a2bfa..c416c076 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -770,13 +770,15 @@ maxretry = 1
 
 [pass2allow]
 # allow FTP traffic after successful HTTP auth
-enabled   = false
-filter    = apache-pass
-banaction = allow-iptables-multiport
+enabled    = false
+filter     = apache-pass
+banaction  = iptables-multiport
+blocktype  = RETURN
+returntype = DROP
 # access log of the website with HTTP auth
-logpath   = /var/log/apache2/access.log
-port      = ftp,ftp-data,ftps,ftps-data
-protocol  = tcp
-bantime   = 3600
-maxretry  = 1
-findtime  = 1
+logpath    = /var/log/apache2/access.log
+port       = ftp,ftp-data,ftps,ftps-data
+protocol   = tcp
+bantime    = 3600
+maxretry   = 1
+findtime   = 1