diff --git a/package/network/config/firewall3/Makefile b/package/network/config/firewall3/Makefile
index cd9405eae44a6bcd2a9eb2172ea51b8d04853306..5b20dadefed96d4dc0b136ad0f7a912e4473178a 100644
--- a/package/network/config/firewall3/Makefile
+++ b/package/network/config/firewall3/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall3
-PKG_VERSION:=2013-03-02
+PKG_VERSION:=2013-03-11
 PKG_RELEASE:=$(PKG_SOURCE_VERSION)
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=git://nbd.name/firewall3.git
 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=46536e5263c4bf57a91c38b5d08d78c774649dda
+PKG_SOURCE_VERSION:=87c4f12e16ae726e20774ee58468fa751a79a2c1
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org>
 
diff --git a/package/network/config/firewall3/files/firewall.user b/package/network/config/firewall3/files/firewall.user
index 1ccbd01657422cd24fe2742755065b954e95a6bd..6f799063f5a1940c481f9e31405f7bfc0491f097 100644
--- a/package/network/config/firewall3/files/firewall.user
+++ b/package/network/config/firewall3/files/firewall.user
@@ -2,3 +2,6 @@
 # Put your custom iptables rules here, they will
 # be executed with each firewall (re-)start.
 
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.