diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md
index 2daddff..54b01ff 100644
--- a/content/posts/linux/Desktop Linux Hardening.md	
+++ b/content/posts/linux/Desktop Linux Hardening.md	
@@ -244,8 +244,11 @@ You could also set your default firewall zone to drop packets. To implement this
 firewall-cmd --set-default-zone=drop
 firewall-cmd --add-protocol=ipv6-icmp --permanent
 firewall-cmd --add-service=dhcpv6-client --permanent
+firewall-cmd --reload
 ```
 
+On some distributions, it may be possible for unauthorized users or applications to make firewall changes through polkit. To disable this, enable firewalld _lockdown mode_ with `sudo firewall-cmd --lockdown-on`.
+
 These firewalls use the [netfilter](https://netfilter.org/) framework and therefore cannot (without the help of strict [mandatory access control](#mandatory-access-control)) protect against malicious software running privileged on the system, which can insert their own routing rules that sidestep firewalld/ufw.
 
 There are some per‑binary outbound firewalls such as [OpenSnitch](https://github.com/evilsocket/opensnitch) and [Portmaster](https://safing.io/portmaster/) that you could use as well. But, just like firewalld and ufw, they are bypassable.