diff --git a/functions/fw_builder_public_ips.pp b/functions/fw_builder_public_ips.pp
index c41b988d603d6f5531f1b06fa84d1c0f7d653b3c..fbae5b5532a2119a1836846126eb39ba0f5f71f9 100644
--- a/functions/fw_builder_public_ips.pp
+++ b/functions/fw_builder_public_ips.pp
@@ -32,11 +32,15 @@ function fw_builder::fw_builder_public_ips(
     $public_ipsets = []
   } else {
     if 'public' in $facts_fw_conf {
-    # this check is not needed, but it will be necessary if the
-    # code of fw_builder changes and "public" can be absent
+      # this check is not needed, but it will be necessary if the
+      # code of fw_builder changes and "public" can be absent
 
       $facts_fw_conf_public = $facts_fw_conf['public']
 
+      if $facts_fw_conf_public.length == 0 {
+        fail('public is declared but it is empty. Please either delete it or add proper values')
+      }
+
       # create a list of lists with all the ipsets in public
       $unflattened_public_ipsets = $facts_fw_conf_public.map |$app_key, $app_value| {
         if 'ipset' in keys($facts_fw_conf_public[$app_key]) {
diff --git a/manifests/init.pp b/manifests/init.pp
index 636e50eb1ea6e093a68fe9de5b773699b2755c50..e5d75ea9b85b4e2c93fcfde4608dd4b16ec5dc66 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -55,7 +55,7 @@ class fw_builder (
     ipv6_enable => $ipv6_enable,
     limit       => $limit;
   }
-  -> anchor { 'fw_builder::begin': }
+  -> anchor { 'fw_builder::end': }
 
   class { 'fw_builder::logrotate':
     logging           => $logging,