diff --git a/modules/security.nix b/modules/security.nix
index c9a2d1d..1fdc7bc 100755
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -5,7 +5,7 @@ let
   cfg = config.modules.security;
 in {
   options.modules.security = {
-    useDoas = mkEnableOption "use doas instead of sudo";
+    useDoas = mkEnableOption "use opendoas instead of sudo";
   };
 
   config = mkIf cfg.enable {
@@ -51,10 +51,14 @@ in {
       security = {
         # prevents replacing the kernel without a reboot
       	protectKernelImage = true;
-        # allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
+      	# rtkit allows unprivileged processes to use realtime scheduling
+        # polkit allows unprivileged processes to speak to privileged processes (ex. nmtui, reboot)
       	rtkit.enable = true;
         polkit.enable = true;
       };
+
+      # while this is on by default, i am going to explicitly specify this
+      networking.firewall.enable = true;
     } // (mkIf cfg.useDoas {
     	security.sudo.enable = false;
     	security.doas.enable = true;