--- a/package/network/config/firewall4/Makefile
+++ b/package/network/config/firewall4/Makefile
@@ -25,7 +25,8 @@ define Package/firewall4
 	+kmod-nft-core +kmod-nft-fib +kmod-nft-offload \
 	+kmod-nft-nat \
 	+nftables-json \
-	+ucode +ucode-mod-fs +ucode-mod-ubus +ucode-mod-uci
+	+ucode +ucode-mod-fs +ucode-mod-ubus +ucode-mod-uci \
+	+iptables +ip6tables +kmod-nft-fullcone +kmod-nft-socket +kmod-nft-tproxy
   EXTRA_DEPENDS:=ucode (>=2022.03.22)
   PROVIDES:=uci-firewall
 endef
@@ -38,10 +39,14 @@ endef
 define Package/firewall4/conffiles
 /etc/config/firewall
 /etc/nftables.d/
+/etc/firewall.user
 endef
 
 define Package/firewall4/install
 	$(CP) -a $(PKG_BUILD_DIR)/root/* $(1)/
+	$(INSTALL_DIR) $(1)/etc/
+	$(INSTALL_CONF) ./files/firewall.include $(1)/etc/firewall.user
+	$(INSTALL_CONF) ./files/firewall.exwan $(1)/etc/firewall.exwan
 endef
 
 define Build/Compile

--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -30,9 +30,10 @@ define Package/firewall
   SECTION:=net
   CATEGORY:=Base system
   TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat \
+	+iptables-mod-fullconenat +ip6tables-mod-fullconenat +iptables-legacy +ip6tables-legacy +kmod-ipt-nat6 +kmod-ipt-offload \
+	+ipset +iptables-mod-conntrack-extra +iptables-mod-iprange +iptables-mod-socket +iptables-mod-tproxy
   PROVIDES:=uci-firewall
-  CONFLICTS:=firewall4
 endef
 
 define Package/firewall/description
 

 define Package/package/network/config/firewall/description
@@ -59,6 +59,7 @@ define Package/package/network/config/firewall/install
 	$(INSTALL_CONF) ./files/firewall.config $(1)/etc/config/firewall
 	$(INSTALL_DIR) $(1)/etc/
 	$(INSTALL_CONF) ./files/firewall.user $(1)/etc/firewall.user
+	$(INSTALL_CONF) ./files/firewall.exwan $(1)/etc/firewall.exwan
 	$(INSTALL_DIR) $(1)/usr/share/fw3
 	$(INSTALL_CONF) $(PKG_BUILD_DIR)/helpers.conf $(1)/usr/share/fw3
 endef

--- a/package/feeds/luci/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
+++ b/package/feeds/luci/luci-app-firewall/htdocs/luci-static/resources/view/firewall/zones.js
@@ -58,6 +58,50 @@ return view.extend({
 
 		o = s.option(form.Flag, 'drop_invalid', _('Drop invalid packets'));
 
+		if (L.hasSystemFeature('fullcone')) {
+			o = s.option(form.Flag, 'fullcone', _('Enable FullCone NAT'));
+			if (fw4)
+				o = s.option(form.Flag, 'fullcone6', _('Enable FullCone NAT6'));
+				o.depends('fullcone', '1');
+		}
+
+		o = s.option(form.Flag, 'expose_wan', _('Expose WAN'), _('Danger! Proceed at your own risk.'));
+
+		o = s.option(form.Value, 'export', _('Ports to Expose'), _('Multiple ports can be, separated by spaces, format: 80 81 82'));
+		o.depends('expose_wan', '1');
+		o.validate = function(section_id, value) {
+		if (value.match(/^(\d+\s*)+$/)) {
+			return true;
+		}
+		 return _('Please enter valid format.');
+		};
+
+		o = s.option(form.ListValue, 'family', _('Restrict to address family'));
+		o.modalonly = true;
+		o.rmempty = true;
+		o.depends('expose_wan', '1');
+		o.value('', _('IPv4 and IPv6'));
+		o.value('ipv4', _('IPv4 only'));
+		o.value('ipv6', _('IPv6 only'));
+
+		o = s.option(form.ListValue, 'proto', _('Protocol'));
+		o.modalonly = true;
+		o.rmempty = true;
+		o.default = 'tcp';
+		o.depends('expose_wan', '1');
+		o.value('tcp', _('TCP'));
+		o.value('udp', _('UDP'));
+		o.value('tudp', _('TCP+UDP'));
+
+		o = s.option(form.Flag, 'ex_ssh', _('Expose SSH'));
+		o.depends('expose_wan', '1');
+		o = s.option(form.Flag, 'ex_backend', _('Expose Backend'));
+		o.depends('expose_wan', '1');
+		o = s.option(form.Value, 'backend_port', _('Backend Port'), _('国内请使用除80,443外的端口'));
+		o.depends('ex_backend', '1');
+		o.rmempty = false;
+		o.datatype = 'integer';
+
 		var p = [
 			s.option(form.ListValue, 'input', _('Input')),
 			s.option(form.ListValue, 'output', _('Output')),

--- a/package/network/config/firewall/files/firewall.init
+++ b/package/network/config/firewall/files/firewall.init
@@ -38,10 +38,12 @@ service_triggers() {
 }
 
 restart() {
+	test -f /etc/firewall.exwan && sh /etc/firewall.exwan
 	fw3 restart
 }
 
 start_service() {
+	test -f /etc/firewall.exwan && sh /etc/firewall.exwan
 	fw3 ${QUIET} start
 }
 
@@ -50,6 +52,7 @@ stop_service() {
 }
 
 reload_service() {
+	test -f /etc/firewall.exwan && sh /etc/firewall.exwan
 	fw3 reload
 }