diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..88bb7d54bebc9d72ca1d50f7bb1d631fdf0251f3
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,28 @@
+.earthly_prepare:
+  tags:
+    - privileged
+  image:
+    name: earthly/earthly:v0.6.29@sha256:81eaf447132541b930d64cbf3308ba07303928a073c602e81a237799b60f254d
+    entrypoint: [ "sh", "-c" ]
+  before_script:
+    - earthly --version
+    - cat ${EARTHLY_CONFIG}
+  variables:
+    FORCE_COLOR: "1"
+    EARTHLY_CONFIG: "/etc/earthly/config.yaml"
+    EARTHLY_STRICT: "true"
+  interruptible: true
+  retry:
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+
+test:
+  stage: test
+  extends: [.earthly_prepare]
+  script:
+    - earthly --no-output -P +test
+  only:
+    refs:
+      - merge_requests
diff --git a/Earthfile b/Earthfile
new file mode 100644
index 0000000000000000000000000000000000000000..2c59020e3629b013557ab2756c6157cd226ba26a
--- /dev/null
+++ b/Earthfile
@@ -0,0 +1,26 @@
+VERSION --use-copy-include-patterns 0.5
+
+install-deps:
+    FROM debian:stable@sha256:13db79e523a13e3e55b606128a4193d7b9ae788d0c11c95d6a6de0bd30aa3a14
+
+shorewall-deps:
+    FROM +install-deps
+    RUN apt update
+    RUN apt install shorewall shorewall6 ipset -y
+    USER root
+
+validate-shorewall:
+    FROM +shorewall-deps
+    RUN apt update
+    RUN apt install shorewall ipset -y
+    COPY ./roles/firewall/files/shorewall /tmp/shorewall
+    RUN --privileged shorewall check /tmp/shorewall
+
+validate-shorewall6:
+    FROM +shorewall-deps
+    COPY ./roles/firewall/files/shorewall6 /tmp/shorewall6
+    RUN --privileged shorewall6 check /tmp/shorewall6
+
+test:
+    BUILD +validate-shorewall
+    BUILD +validate-shorewall6
diff --git a/roles/firewall/files/shorewall/shorewall.conf b/roles/firewall/files/shorewall/shorewall.conf
index b978dd36a7e201ef0bebdae9e376706272846b13..1982e86e78730767e6da870e67c23d674b96d058 100644
--- a/roles/firewall/files/shorewall/shorewall.conf
+++ b/roles/firewall/files/shorewall/shorewall.conf
@@ -191,8 +191,6 @@ IP_FORWARDING=Yes
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=
diff --git a/roles/firewall/files/shorewall/shorewall6.conf b/roles/firewall/files/shorewall/shorewall6.conf
index f75fbbc712abaf81f81a310265e21dae388dce84..b8bf6d1abb114e6fa85a2a741954bf35c62733dd 100644
--- a/roles/firewall/files/shorewall/shorewall6.conf
+++ b/roles/firewall/files/shorewall/shorewall6.conf
@@ -178,8 +178,6 @@ IP_FORWARDING=Yes
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=
diff --git a/roles/firewall/files/shorewall6/shorewall6.conf b/roles/firewall/files/shorewall6/shorewall6.conf
index 98645f3825c8f6be0923cfabebf2d397b9b9deee..a13f0150d83a7a9a5b4e92d5a79756bad5a83bfc 100644
--- a/roles/firewall/files/shorewall6/shorewall6.conf
+++ b/roles/firewall/files/shorewall6/shorewall6.conf
@@ -178,8 +178,6 @@ IP_FORWARDING=Yes
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=