diff --git a/clone/clone b/clone/clone
index 48cf10e..1fa991f 100755
--- a/clone/clone
+++ b/clone/clone
@@ -299,7 +299,12 @@ step7(){
 	echo "        - /lib/systemd/system";
 	sudo cp ./utility/sats-dwc@.service /mnt/lib/systemd/system/sats-dwc@.service;
 
-	# (5) Create sats-update timer #
+	# (5) Create firewall@ service #
+	echo "    (.) Create firewall@ service";
+	echo "        - /lib/systemd/system";
+	sudo cp ./utility/firewall@.service /mnt/lib/systemd/system/firewall@.service;
+
+	# (6) Create sats-update timer #
 	echo "    (.) Create sats-update timer";
 	echo "        - /lib/systemd/system";
 	cat ./utility/sats-update.timer | sudo tee /mnt/lib/systemd/system/sats-update.timer > /dev/null;
@@ -318,8 +323,12 @@ step7(){
 	echo "    (.) Emulate \`systemctl enable sats-dwc@wlan0.service\`";
 	sudo ln -fs /lib/systemd/system/sats-dwc@.service /mnt/etc/systemd/system/multi-user.target.wants/sats-dwc@wlan0.service;
 
-	# (4) Enable sats-update timer at startup #
-	echo "        - Emulate \`systemctl enable sats-update.timer\`";
+	# (4) Enable firewall@default at startup #
+	echo "    (.) Emulate \`systemctl enable firewall@default.service\`";
+	sudo ln -fs /lib/systemd/system/firewall@.service /mnt/etc/systemd/system/multi-user.target.wants/firewall@default.service;
+
+	# (5) Enable sats-update timer at startup #
+	echo "    (.) Emulate \`systemctl enable sats-update.timer\`";
 	sudo ln -fs /lib/systemd/system/sats-update.timer /mnt/etc/systemd/system/multi-user.target.wants/sats-update.timer;
 
 
@@ -337,10 +346,15 @@ step7(){
 	echo "    (.) Create sats-loop script";
 	cat ./utility/sats-loop   | sudo tee /mnt/service/sats-loop > /dev/null;
 
-	# (4.1) Create sats-dwc@wlan0 script #
+	# (4) Create sats-dwc@wlan0 script #
 	echo "    (.) Create sats-dwc@wlan0 script";
 	cat ./utility/wlan0.dwc  | sed "s/\*\*\*SALT\*\*\*/$WIFI_SALT/" | sed "s/\*\*\*PEPPER\*\*\*/$WIFI_PEPPER/" | sudo tee /mnt/etc/wpa_supplicant/wlan0.dwc > /dev/null;
 
+	# (5) Create firewall@default script #
+	echo "    (.) Create firewall@default script";
+	sudo mkdir -p /opt/firewall;
+	cat ./utility/default.fw  | sudo tee /mnt/opt/firewall/default.fw > /dev/null;
+
 
 	# (5) Set up permissions
 	#--------------------------------------------------------#
@@ -349,23 +363,23 @@ step7(){
 	# (1) Services scripts #
 	echo "        - sats-install   (owner: pi)";
 	sudo chown 1000:1000 /mnt/service/sats-install;
-	sudo chmod 550 /mnt/service/sats-install;
+	sudo chmod 770 /mnt/service/sats-install;
 
 	echo "        - sats-update    (ownder: sats)";
 	sudo chown 666:666 /mnt/service/sats-update;
-	sudo chmod 550 /mnt/service/sats-update;
+	sudo chmod 770 /mnt/service/sats-update;
 
 	echo "        - sats-loop      (ownder: sats)";
 	sudo chown 666:666 /mnt/service/sats-loop;
-	sudo chmod 550 /mnt/service/sats-loop;
+	sudo chmod 770 /mnt/service/sats-loop;
 
 	echo "        - sats-dwc@wlan0 (ownder: pi)";
 	sudo chown 1000:1000 /mnt/etc/wpa_supplicant/wlan0.dwc;
-	sudo chmod 550 /mnt/etc/wpa_supplicant/wlan0.dwc;
+	sudo chmod 770 /mnt/etc/wpa_supplicant/wlan0.dwc;
 
 	echo "        - /service       (ownder: sats)";
 	sudo chown 666:666 /mnt/service/*;
-	sudo chmod 555 /mnt/service/*;
+	sudo chmod 775 /mnt/service/*;
 
 	echo "        - /target        (ownder: sats)";
 	sudo chown 666:666 /mnt/target;
diff --git a/clone/utility/default.fw b/clone/utility/default.fw
new file mode 100644
index 0000000..2bba9de
--- /dev/null
+++ b/clone/utility/default.fw
@@ -0,0 +1,11 @@
+# reset defaults
+iptables -F;
+iptables -P OUTPUT ACCEPT;
+iptables -P FORWARD DROP;
+iptables -P INPUT DROP;
+
+# maintenance
+iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
+
+# accept as INPUT all already ESTABLISHED connections
+iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT;
diff --git a/clone/utility/firewall@.service b/clone/utility/firewall@.service
new file mode 100644
index 0000000..d6fb348
--- /dev/null
+++ b/clone/utility/firewall@.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Firewall autoconf (%i)
+Wants=network-pre.target
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/bash /opt/firewall/%i.fw
+
+[Install]
+WantedBy=multi-user.target
diff --git a/clone/utility/iptables b/clone/utility/iptables
deleted file mode 100644
index 91a07b8..0000000
--- a/clone/utility/iptables
+++ /dev/null
@@ -1,28 +0,0 @@
-# reset defaults
-iptables -F;
-iptables -P OUTPUT DROP;
-iptables -P FORWARD DROP;
-iptables -P INPUT DROP;
-
-# maintenance
-iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT;
-
-# SMMP-server
-iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT;
-
-# SMMP
-iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT;
-
-# apt-get
-iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
-iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT;
-
-# dns
-iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT;
-iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT;
-
-# accept as INPUT all already ESTABLISHED connections
-iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
-
-# accept to OUTPUT all already ESTABLISHED connections
-iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT;
\ No newline at end of file
diff --git a/clone/utility/sats-install b/clone/utility/sats-install
index caa4d40..29949bf 100644
--- a/clone/utility/sats-install
+++ b/clone/utility/sats-install
@@ -14,34 +14,28 @@ slog(){
 }
 
 
-# [1] Set up firewall
-slog " * 1. Setting firewall rules";
-sudo sh /home/pi/iptables \
-	&& slog " > done" \
-	|| ( slog " > failed" && exit 127 );
-
-# [2] Start ssh service
-slog " * 2. Starting ssh service";
+# [1] Start ssh service
+slog " * 1. Starting ssh service";
 sudo systemctl start ssh \
 	&& slog " > done" \
 	|| ( slog " > failed" && exit 127 );
 
-# [3] Notify boot (first or normal) #
+# [2] Notify boot (first or normal) #
 echo;
 test ! -e /target/sync && echo "First Boot"  | plog;
 test   -e /target/sync && echo "Normal Boot" | plog;
 slog "============";
 
-# [4] Set random passwords for 'sats'
-echo " * 3. Changing sats password" | plog;
+# [3] Set random passwords for 'sats'
+echo " * 2. Changing sats password" | plog;
 RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
 echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd sats;
 test $? -eq 0 \
 	&& slog " > done" \
 	|| ( slog " > failed" && exit 127 );
 
-# [5] Set random passwords for 'pi' itself
-echo " * 4. Changing pi password" | plog;
+# [4] Set random passwords for 'pi' itself
+echo " * 3. Changing pi password" | plog;
 RANDOM_PASS=$(tr -cd A-Za-z0-9_ < /dev/urandom | head -c 256);
 echo -ne "$RANDOM_PASS\n$RANDOM_PASS\n" | sudo passwd pi;
 test $? -eq 0 \
@@ -56,8 +50,8 @@ test $? -eq 0 \
 ################################################
 if [ ! -e /target/sync ]; then
 
-	# (1) If no network -> exit #
-	slog " * 5. Checking connectivity";
+	# (x) If no network -> exit #
+	slog " * 4. Checking connectivity";
 	test $(systemctl is-active network-online.target) = "active" \
 		&& slog " > done" \
 		|| ( slog " > failed" && exit 127 );
@@ -66,13 +60,13 @@ if [ ! -e /target/sync ]; then
 	# [1] Installation
 	#========================================================#
 	# (1) Try to install necessary packages
-	slog " * 6. Updating packages";
+	slog " * 5. Updating packages";
 	sudo apt-get update;
 	test $? -eq 0 \
 		&& slog " > done" \
 		|| ( slog " > failed" && exit 127 );
 
-	slog " * 7. Installing necessary packages";
+	slog " * 6. Installing necessary packages";
 	sudo apt-get -y install git php5 php5-cli php5-curl python-dev;
 	test $? -eq 0 \
 		&& slog " > done" \
@@ -82,7 +76,7 @@ if [ ! -e /target/sync ]; then
 	BRANCH=$(sudo cat /home/sats/satsd/conf/machine.branch) > /dev/null;
 
 	# (2) With git if installed #
-	slog " * 8. Cloning source";
+	slog " * 7. Cloning source";
 	sudo -u sats git clone -b $BRANCH ssh://smmp-server/satsd/git /home/sats/satsd/source;
 	test $? -eq 0 \
 		&& slog " > done" \
@@ -91,7 +85,7 @@ if [ ! -e /target/sync ]; then
 
 
 	# (2) Enable SPI device #
-	echo " * 9. Enabling spi device";
+	echo " * 8. Enabling spi device";
 	echo "dtparam=spi=on"        | sudo tee -a /boot/config.txt > /dev/null \
 		|| ( slog " > failed" && exit 127 );
 	echo "dtoverlay=spi-bcm2708" | sudo tee -a /boot/config.txt > /dev/null \
@@ -99,13 +93,13 @@ if [ ! -e /target/sync ]; then
 	slog " > done";
 
 	# (3) Clone SPI python library #
-	slog " * 10. Cloning 'SPI-Py' lib";
+	slog " * 9. Cloning 'SPI-Py' lib";
 	git clone https://github.com/lthiery/SPI-Py.git /home/pi/spi-lib \
 		&& slog " > done" \
 		|| ( slog " > failed" && exit 127 );
 
 	# (4) Install SPI python library #
-	slog " * 11. Installing 'SPI-Py' lib into the system";
+	slog " * 10. Installing 'SPI-Py' lib into the system";
 	cd /home/pi/spi-lib;
 	sudo python setup.py build \
 		|| ( slog " > failed" && exit 127 );
@@ -123,12 +117,12 @@ if [ ! -e /target/sync ]; then
 	source $__DIR__/lib/include/bash/func;
 
 	# (2) Process sync #
-	slog " * 12. Synchronizing the SATS with SMMP's server";
+	slog " * 11. Synchronizing the SATS with SMMP's server";
 	test "$(sudo -u sats $SOURCE_DIR/lib/api/sync)" = "0" \
 		&& slog " > done" \
 		||  ( slog " > failed" && exit 127 );
 
-	slog "Creating target file 'sync'";
+	slog " * 12. Creating target file 'sync'";
 	sudo -u sats touch /target/sync \
 		&& slog " > done" \
 		|| ( slog " > failed" && exit 127 );