diff --git a/package/firewall/Makefile b/package/firewall/Makefile
index 11dac8f41..dc61f7c75 100644
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=1
-PKG_RELEASE:=19
+PKG_RELEASE:=20
 
 include $(INCLUDE_DIR)/package.mk
 
diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index e0cb42e6d..be6620d19 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -388,10 +388,11 @@ fw_rule() {
 		[ -n "$dest" ] && TARGET="zone_${dest}_${TARGET}"
 	fi
 
-	eval 'RULE_COUNT=$((++RULE_COUNT_'$ZONE'))'
+	local pos
+	eval 'pos=$((++FW__RULE_COUNT_'$ZONE'))'
 
 	add_rule() {
-		$IPTABLES -t $TABLE -I $ZONE $RULE_COUNT \
+		$IPTABLES -t $TABLE -I $ZONE $pos \
 			$srcaddr $destaddr \
 			${proto:+-p $proto} \
 			${icmp_type:+--icmp-type $icmp_type} \
@@ -501,7 +502,10 @@ fw_redirect() {
 	get_portrange destports "${dest_port-$src_dport}" ":"
 
 	add_rule() {
-		$IPTABLES -I $natchain 1 -t nat \
+		local pos
+		eval 'pos=$((++FW__REDIR_COUNT_'$natchain'))'
+
+		$IPTABLES -I $natchain $pos -t nat \
 			$srcaddr $srcdaddr \
 			${proto:+-p $proto} \
 			${srcports:+--sport $srcports} \