diff --git a/security/crowdsec-firewall-bouncer/Makefile b/security/crowdsec-firewall-bouncer/Makefile
index c07268416620..021a2a0f7078 100644
--- a/security/crowdsec-firewall-bouncer/Makefile
+++ b/security/crowdsec-firewall-bouncer/Makefile
@@ -1,52 +1,52 @@
 PORTNAME=	crowdsec-firewall-bouncer
-PORTREVISION=	3
+PORTREVISION=	4
 DISTVERSIONPREFIX=	v
 DISTVERSION=	0.0.28
 CATEGORIES=	security
 
 MAINTAINER=	marco@crowdsec.net
 COMMENT=	CrowdSec bouncer written in golang for firewalls
 WWW=		https://github.com/crowdsecurity/cs-firewall-bouncer
 
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 USES=		go:modules
 _COMMIT=	af6e7e2
 _BUILD_DATE=	$$(date -u "+%F_%T")
 USE_RC_SUBR=	crowdsec_firewall
 
 GO_MODULE=	github.com/crowdsecurity/cs-firewall-bouncer
 GO_TARGET=	${PORTNAME}:./${PORTNAME}
 GO_BUILDFLAGS=	-trimpath -tags netgo \
 		-ldflags="\
 		-a -s -w -extldflags '-static' \
 		-X github.com/crowdsecurity/go-cs-lib/version.Version=${DISTVERSIONPREFIX}${DISTVERSION}-freebsd \
 		-X github.com/crowdsecurity/go-cs-lib/version.BuildDate=${_BUILD_DATE} \
 		-X github.com/crowdsecurity/go-cs-lib/version.Tag=${_COMMIT}"
 
 CGO_ENABLED=	0
 
 SUB_FILES=	pkg-deinstall \
 		pkg-install \
 		pkg-message
 
 ETCDIR=		${PREFIX}/etc/crowdsec/bouncers
 
 do-install:
 	#
 	# Binaries
 	#
 
 	${INSTALL_PROGRAM} ${WRKDIR}/bin/${PORTNAME} \
 		${STAGEDIR}${PREFIX}/bin/${PORTNAME}
 
 	#
 	# Configuration
 	#
 
 	@${MKDIR} ${STAGEDIR}${ETCDIR}
 	${INSTALL_DATA} ${WRKSRC}/config/${PORTNAME}.yaml \
 		${STAGEDIR}${ETCDIR}/${PORTNAME}.yaml.sample
 
 .include <bsd.port.mk>
diff --git a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
index 78fed46c27f2..47c4c25cfae1 100644
--- a/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
+++ b/security/crowdsec-firewall-bouncer/files/crowdsec_firewall.in
@@ -1,100 +1,101 @@
 #!/bin/sh
 #
 # PROVIDE: crowdsec_firewall
 # REQUIRE: LOGIN DAEMON NETWORKING
 # KEYWORD: shutdown
 #
 # Add the following lines to /etc/rc.conf.local or /etc/rc.conf
 # to enable this service:
 #
 # crowdsec_firewall_enable (bool):	Set it to YES to enable crowdsec firewall.
 #					Default is "NO"
 # crowdsec_firewall_config (str):	Set the bouncer config path.
 #					Default is "%%ETCDIR%%/crowdsec-firewall-bouncer.yaml"
 # crowdsec_firewall_name (str):		Name of the bouncer to register.
 #					Default is dynamically generated.
 # crowdsec_firewall_flags (str):	extra flags to run bouncer.
 #					Default is ""
 
 . /etc/rc.subr
 
 name=crowdsec_firewall
 desc="Crowdsec Firewall"
 rcvar=crowdsec_firewall_enable
 
 load_rc_config "$name"
 
 : "${crowdsec_firewall_enable:=NO}"
 : "${crowdsec_firewall_config:=%%ETCDIR%%/crowdsec-firewall-bouncer.yaml}"
 : "${crowdsec_firewall_name:=cs-firewall-bouncer-$(date +%s)}"
 : "${crowdsec_firewall_flags:=}"
 
 pidfile=/var/run/${name}.pid
 required_files="$crowdsec_firewall_config"
 command="%%PREFIX%%/bin/crowdsec-firewall-bouncer"
 start_cmd="${name}_start"
 stop_cmd="${name}_stop"
 start_precmd="${name}_precmd"
 configtest_cmd="${name}_configtest"
 extra_commands="configtest"
 
 crowdsec_firewall_precmd() {
     CSCLI=%%PREFIX%%/bin/cscli
     # there might be quotes
     orig_line="api_key: .*\${API_KEY}.*"
     # IF the bouncer is not configured
     if grep -q "^${orig_line}" "${crowdsec_firewall_config}"; then
         # AND crowdsec is installed..
         if command -v "$CSCLI" >/dev/null; then
             # THEN, register it to the local API
             API_KEY=$($CSCLI bouncers add "${crowdsec_firewall_name}" -o raw)
             if [ -n "$API_KEY" ]; then
-                sed -i "" "s|^${orig_line}|api_key: ${API_KEY}     # ${crowdsec_firewall_name}|" "${crowdsec_firewall_config}"
+                sed -i "" "s|^${orig_line}|api_key: '${API_KEY}'|" "${crowdsec_firewall_config}"
                 echo "Registered: ${crowdsec_firewall_name}"
             fi
         fi
     fi
 }
 
 crowdsec_firewall_stop()
 {
     if [ ! -f "$pidfile" ]; then
         echo "${name} is not running."
         return
     fi
     pid=$(cat "$pidfile")
     if kill -0 "$pid" >/dev/null 2>&1; then
         echo "Stopping ${name}."
         kill -s TERM "$pid" >/dev/null 2>&1
         # shellcheck disable=SC2034
         for i in $(seq 1 20); do
             sleep 1
             if ! kill -0 "$pid" >/dev/null 2>&1; then
                 rm -f "$pidfile"
                 return
             fi
         done
         echo "Timeout, terminating ${name} with SIGKILL."
         kill -s KILL "$pid" >/dev/null 2>&1
         rm -f "$pidfile"
     else
         echo "${name} is not running."
     fi
 }
 
 crowdsec_firewall_start() {
     # ensure we have a backend if the config file was not patched
     export BACKEND=pf
+    # shellcheck disable=SC2086
     /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
         "$command" -c "$crowdsec_firewall_config" ${crowdsec_firewall_flags}
 }
 
 crowdsec_firewall_configtest()
 {
     echo "Performing sanity check on ${name} configuration."
     if "$command" -c "$crowdsec_firewall_config" -t; then
         echo "Configuration test OK"
     fi
 }
 
 run_rc_command "$1"