diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
index 8dfa515..d6a1931 100755
--- a/bsp/default/root_file_system/etc/firewall.user
+++ b/bsp/default/root_file_system/etc/firewall.user
@@ -1,50 +1,11 @@
 #!/bin/sh
-#iptables -F
-#
-#iptables -P INPUT   DROP
-#iptables -P OUTPUT  DROP
-#iptables -P FORWARD DROP
-#
-#for proto in tcp udp
-#do
-#  for port in 53 666 655
-#  do
-#    iptables -A OUTPUT -p $proto --dport $port -j ACCEPT
-#    iptables -A OUTPUT -p $proto --sport $port -j ACCEPT
-#    iptables -A INPUT  -p $proto --dport $port -j ACCEPT
-#    iptables -A INPUT  -p $proto --sport $port -j ACCEPT
-#  done
-#done
-#
-#iptables -A OUTPUT -p icmp -j ACCEPT
-#iptables -A INPUT  -p icmp -j ACCEPT
-#
-#iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-#iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-#
-#
-#iptables -A OUTPUT -p tcp --sport 1024: -j ACCEPT
-#iptables -A OUTPUT -p udp --sport 1024: -j ACCEPT
-
-# mastersword.de
-#iptables -A OUTPUT -p tcp -d 78.46.215.78 -j ACCEPT
-#iptables -A INPUT  -p tcp -s 78.46.215.78 -j ACCEPT
-
-# gw1.freifunk-ol.de
-#iptables -A OUTPUT -p tcp -d 178.33.33.102 -j ACCEPT
-#iptables -A INPUT  -p tcp -s 178.33.33.102 -j ACCEPT
-
-# freifunk-ol.de
-#iptables -A OUTPUT -p tcp -d 178.33.33.208 -j ACCEPT
-#iptables -A INPUT  -p tcp -s 178.33.33.208 -j ACCEPT
-
-#Masquerade interface for gateway
-#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 #solves MTU problem with bad ISP´s
 iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 # Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
 # Das wirkt bei kleinen Geräten wir ein DOS
-iptables -I INPUT -i eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -I INPUT -i eth0.2 -j DROP
+WAN=$(uci get network.wan.ifname)
+iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i $WAN -j REJECT
+