diff --git a/linux_hardening.txt b/linux_hardening.txt
index 6257390..b55bb52 100644
--- a/linux_hardening.txt
+++ b/linux_hardening.txt
@@ -2,6 +2,7 @@ Linux Hardening Points and ideas
 License: GNU Free Documentation License - Version 1.3, 3 November 2008 (for details, see LICENSE.txt)
 Author: 51x
 
+
 =========
 Debian hardening points for workstations
 
@@ -42,6 +43,7 @@ Debian hardening points for workstations
     -a exit,always -F arch=b32 -F euid=0 -S execve
 
 
+
 =====
 Kernel
 
@@ -52,17 +54,19 @@ Kernel
     echo -e '''kernel.dmesg_restrict=1\nkernel.kptr_restrict=1\nkernel.kexec_load_disabled=1\nkernel.yama.ptrace_scope=1\nuser.max_user_namespaces=0''' >> /etc/sysctl.conf
 
 
+=====
+Booting with TPM
+
+https://safeboot.dev/
+
+
 
 =====
 Firewall
 
-- Disable IPv6
-    echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
-    echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
-    echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
-    echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
 
-- Configure firewall to DROP everything by default and allow only manadotory connections for root and the first user. For IPv4.
+- Configure firewall to DROP everything by default and allow only manadotory connections for root, aptitude, dns and the first user. Edit before apply!
+
     #!/bin/bash
     IPT=/sbin/iptables
     $IPT -F
@@ -70,16 +74,45 @@ Firewall
     $IPT -X
     $IPT -N Allower
     $IPT -A OUTPUT -j Allower
+    
     $IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
     $IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
+    $IPT -A Allower -m owner --uid-owner 105 -j ACCEPT    # Aptitude
+    $IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT    # DNS, https://www.opennic.org/
+    
     $IPT -A INPUT --in-interface lo -j ACCEPT
     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     $IPT -P OUTPUT DROP
     $IPT -P INPUT DROP
     $IPT -P FORWARD DROP
 
-- Additional firewall hardening: match UID and only allow the users that really need network. The following example is DNS server ACCEPT.
-    $IPT -A OUTPUT -m owner --uid-owner 112 -d 185.121.177.177 -p udp --dport 53 -j ACCEPT
+
+    IPT=/sbin/ip6tables
+    $IPT -F
+    $IPT -F -t nat
+    $IPT -X
+    $IPT -N Allower
+    $IPT -A OUTPUT -j Allower
+    
+    $IPT -A Allower -m owner --uid-owner 0 -j ACCEPT
+    $IPT -A Allower -m owner --uid-owner 1000 -j ACCEPT
+    $IPT -A Allower -m owner --uid-owner 105 -j ACCEPT    # Aptitude
+    $IPT -A OUTPUT -m owner --uid-owner 112 -d 94.247.43.254 -p udp --dport 53 -j ACCEPT    # DNS, https://www.opennic.org/
+    
+    $IPT -A INPUT --in-interface lo -j ACCEPT
+    $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+    $IPT -P OUTPUT DROP
+    $IPT -P INPUT DROP
+    $IPT -P FORWARD DROP
+
+
+
+- Optionally, disable IPv6
+    echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
+    echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
+    echo "1" > /proc/sys/net/ipv6/conf/all/disable_ipv6
+    echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
+    
 
 
 =====
@@ -99,6 +132,7 @@ Remote management
     GatewayPorts no  # Note that it won't allow port forawrding!
 
 
+
 =====
 Browser basics
 
@@ -124,3 +158,10 @@ Gentoo hardening points
 
 Gentoo + musl + openrc or runit + luks (or zfs native enc) + zfs + apparmor or selinux
 Plus CACert and repobuilds.
+
+
+
+=========
+Alpine Linux laptop references
+https://wiki.alpinelinux.org/wiki/Setting_up_a_laptop
+https://faq.i3wm.org/question/83/how-to-run-i3lock-after-computer-inactivity.1.html