diff --git a/icwmp/Makefile b/icwmp/Makefile
index 94e192db8..7cdb438d5 100755
--- a/icwmp/Makefile
+++ b/icwmp/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.9.12
+PKG_VERSION:=9.9.13
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=ce1c11e561ba25a4086c27c4dd5aa18bb0ed3e4d
+PKG_SOURCE_VERSION:=3b6737be25c28e8b33da35f2ee90a8b9f61f248a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
diff --git a/icwmp/files/etc/icwmpd/firewall.cwmp b/icwmp/files/etc/icwmpd/firewall.cwmp
index ceb1c6364..b56adb33e 100644
--- a/icwmp/files/etc/icwmpd/firewall.cwmp
+++ b/icwmp/files/etc/icwmpd/firewall.cwmp
@@ -133,9 +133,56 @@ add_firewall_rule() {
 	fi
 }
 
+remove_port_protection() {
+	local enabled chain rule rule_num
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "$1" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		while rule=$(iptables -w -t nat -nL "$chain" --line-numbers | grep -m 1 -w CWMP_Port_protection); do
+			rule_num=${rule%%[$' \t']*}
+			iptables -w -t nat -D "$chain" "$rule_num"
+		done
+	fi
+}
+
+cleanup_port_protection() {
+	config_load firewall
+	config_foreach remove_port_protection zone masq
+}
+
+install_port_protection() {
+	local PORT="${3}"
+	local enabled zonename chain
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "${1}" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		iptables -w -t nat -I "$chain" -p tcp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+		iptables -w -t nat -I "$chain" -p udp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+	fi
+}
+
+add_port_protection() {
+	config_load firewall
+	config_foreach install_port_protection zone masq "${1}"
+}
+
 configure_connection_req_rules() {
 	app="${1}"
 
+	cleanup_port_protection
+
 	wan="$(uci -q get cwmp.cpe.default_wan_interface)"
 	wan="${wan:-wan}"
 
@@ -175,8 +222,11 @@ configure_connection_req_rules() {
 		fi
 	fi
 
-	port=$(uci -q get cwmp.cpe.port)
-	port="${port:-7547}"
+	port=$(uci -q -c /var/state get icwmp.cpe.port)
+	if [ -z "${port}" ]; then
+		log "cwmp cpe port not configured"
+		exit 0
+	fi
 
 	ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
 	if [ -n "${ipaddr}" ]; then
@@ -197,6 +247,8 @@ configure_connection_req_rules() {
 		# Close the ACS port at Lan side
 		close_downstream_acs_port "${lan}" "${port}"
 	fi
+
+	add_port_protection "${port}"
 }
 
 load_zone_names
diff --git a/icwmp/files/etc/uci-defaults/90-cwmpfirewall b/icwmp/files/etc/uci-defaults/90-cwmpfirewall
index 8a67c9fc5..694c6005d 100644
--- a/icwmp/files/etc/uci-defaults/90-cwmpfirewall
+++ b/icwmp/files/etc/uci-defaults/90-cwmpfirewall
@@ -5,7 +5,6 @@ uci -q batch <<-EOT
         set firewall.cwmp=include
         set firewall.cwmp.path=/etc/icwmpd/firewall.cwmp
         set firewall.cwmp.reload=1
-        commit firewall
 EOT
 
 exit 0