diff --git a/README b/README
index e99abd6..48609e3 100644
--- a/README
+++ b/README
@@ -24,8 +24,10 @@ http://inai.de/documents/Perfect_Ruleset.pdf
 See the instruction at the end how to use firewall-scripted.sh
 
 To install this project, copy the scripts from sbin/ into your path.
-etc/firewall.config can be copied into your path or into the /etc directory:
-you should modify firewall.config to your needs (for the defaults copy also
+etc/firewall.config can be copied into /etc or /usr/lib/firewall or
+/lib/firewall (if it is readable in a former directory, it is used;
+thus, the latter can be used to provide distribution-wide defaults).
+You should modify firewall.config to your needs (for the default, copy
 etc/firewall.d to the /etc directory and follow etc/firewall.d/README).
 For zsh completion support copy the content of zsh into you $fpath.
 
diff --git a/etc/firewall.config b/etc/firewall.config
index 77389d2..0474060 100644
--- a/etc/firewall.config
+++ b/etc/firewall.config
@@ -1,8 +1,11 @@
 #!/bin/sh
 
 # This is the config file for Martin V\"ath's firewall script.
-# It is sourced by the latter.
-# Please modify to your needs before you use the firewall script.
+#
+# More precisely, this script is used by the firewall script if
+# 1. It is /etc/firewall.config
+# 2. It is /usr/lib/firewall/firewall.config or /lib/firewall/firewall.config
+# and the earlier mentioned files are not readable.
 
 # This file honours the existence/nonexistence of the following files:
 # /etc/firewall.d/dhcp-client    If this exists, DHCP clients are allowed
@@ -12,15 +15,10 @@
 
 # Some things may become clearer if you look at the default
 
-# We make use of "[0-9]" in this config, so we need correct LC_COLLATE:
-LC_COLLATE=C
-export LC_COLLATE
-unset LC_ALL
-
 # In order to configure, one might need the active sshd port "$SSHPORT":
 # This port is read from /etc/ssh/sshd_config (default: "ssh")
 
-SSHPORT=`sed -n -e 's/^ *Port *\([0-9]*\) *$/\1/p' /etc/ssh/sshd_config` \
+SSHPORT=`sed -n -e 's/^ *Port *\([0123456789]*\) *$/\1/p' /etc/ssh/sshd_config` \
 && [ -n "${SSHPORT:++}" ] || SSHPORT='ssh'
 
 # We setup an example how $SSHPORT can be reached from outside after
@@ -29,7 +27,7 @@ SSHPORT=`sed -n -e 's/^ *Port *\([0-9]*\) *$/\1/p' /etc/ssh/sshd_config` \
 # you might want instead to use instead its config file.
 # If we cannot read this file, we use an example sequence:
 test -r /etc/knockd.conf \
-&& KNOCKSEQ=`sed -n -e '/sequence/{s/[^0-9,]//g;s/,/ /g;p}' /etc/knockd.conf` \
+&& KNOCKSEQ=`sed -n -e '/sequence/{s/[^0123456789,]//g;s/,/ /g;p}' /etc/knockd.conf` \
 && [ -n "${KNOCKSEQ:++}" ] && Push -c KNOCKSEQ $KNOCKSEQ "$SSHPORT" \
 || Push -c KNOCKSEQ 8000 4000 3000 7000 6000 9000 2000 "$SSHPORT"
 
@@ -46,7 +44,7 @@ else	Push -c LOCALNETSIN
 		j=`. "$i" && echo ${ifconfig_eth0-} ${ifconfig_lan0-} ${ifconfig_net0-}` \
 		&& j="${j%% *}" && j="${j%%
 *}" &&		case ${j:-x} in
-		*[!0-9.]*)
+		*[!0123456789.]*)
 			:;;
 		*)
 			Push -c LOCALNETSIN "$j"
diff --git a/sbin/firewall b/sbin/firewall
index a42daa0..72912ec 100755
--- a/sbin/firewall
+++ b/sbin/firewall
@@ -267,10 +267,15 @@ IPT6=:
 # Usually, you will only use this to modify the above array variables or
 # functions so that certain services will not be blocked.
 
-if test -r /etc/firewall.config
-then	. /etc/firewall.config
-else	. firewall.config
-fi
+for source_file in \
+	/etc/firewall.config \
+	/usr/lib/firewall/firewall.config \
+	/lib/firewall/firewall.config
+do	test -r "$source_file" || continue
+	test -d "$source_file" && continue
+	! test -f "$source_file" || . "$source_file"
+	break
+done
 
 set -f