diff --git a/src/or/config.c b/src/or/config.c
index 64e29d39fc..1582aae1dd 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1893,7 +1893,7 @@ options_validate(or_options_t *old_options, or_options_t *options)
                          "LongLivedPorts") < 0)
     result = -1;
 
-  if (options->FascistFirewall) {
+  if (options->FascistFirewall && !options->ReachableAddresses) {
     smartlist_t *instead = smartlist_create();
     config_line_t *new_line = tor_malloc_zero(sizeof(config_line_t));
     new_line->key = tor_strdup("ReachableAddresses");
@@ -1915,7 +1915,6 @@ options_validate(or_options_t *old_options, or_options_t *options)
     new_line->value = smartlist_join_strings(instead,",",0,NULL);
     /* These have been deprecated since 0.1.1.5-alpha-cvs */
     log(LOG_NOTICE, LD_CONFIG, "Converting FascistFirewall and FirewallPorts config options to new format: \"ReachableAddresses %s\"", new_line->value);
-    new_line->next = options->ReachableAddresses;
     options->ReachableAddresses = new_line;
     SMARTLIST_FOREACH(instead, char *, cp, tor_free(cp));
     smartlist_free(instead);
@@ -1924,12 +1923,17 @@ options_validate(or_options_t *old_options, or_options_t *options)
   if (options->ReachableAddresses) {
     /* We need to end with a reject *:*, not an implicit accept *:* */
     config_line_t **linep = &options->ReachableAddresses;
-    while (*linep) {
+    for(;;) {
+      if (!strcmp((*linep)->value, "reject *:*")) /* already there */
+        break;
       linep = &((*linep)->next);
+      if (!*linep) {
+        *linep = tor_malloc_zero(sizeof(config_line_t));
+        (*linep)->key = tor_strdup("ReachableAddresses");
+        (*linep)->value = tor_strdup("reject *:*");
+        break;
+      }
     }
-    *linep = tor_malloc_zero(sizeof(config_line_t));
-    (*linep)->key = tor_strdup("ReachableAddresses");
-    (*linep)->value = tor_strdup("reject *:*");
   }
 
   options->_AllowUnverified = 0;