diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld
index 143719f0..fdca331a 100644
--- a/apparmor.d/profiles-a-f/firewalld
+++ b/apparmor.d/profiles-a-f/firewalld
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/firewalld
-profile firewalld @{exec_path} {
+profile firewalld @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -15,10 +15,12 @@ profile firewalld @{exec_path} {
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability mknod,
   capability net_admin,
   capability net_raw,
   capability setpcap,
+  capability sys_module,
 
   network inet raw,
   network inet6 raw,
@@ -50,10 +52,11 @@ profile firewalld @{exec_path} {
   @{bin}/false                    rix,
   @{bin}/ipset                    rix,
   @{bin}/kmod                     rPx,
+  @{bin}/modprobe                 rPx,
   @{bin}/xtables-legacy-multi     rix,
   @{bin}/xtables-nft-multi        rix,
 
-  /usr/local/lib/python3.10/dist-packages/ r,
+  /usr/local/lib/python*/dist-packages/ r,
 
   /usr/share/libalternatives/ r,
   /usr/share/libalternatives/ebtables*/{,*} r,
@@ -62,20 +65,38 @@ profile firewalld @{exec_path} {
   /etc/firewalld/{,**} rw,
   /etc/iproute2/group r,
   /etc/iproute2/rt_realms r,
+  # Maybe change to as in kmod,lspci,...?
+  # /etc/modprobe.d/{,*.conf} r,
+  /etc/modprobe.d/ r,
+  /etc/modprobe.d/firewalld-sysctls.conf r,
 
   /var/lib/ebtables/lock rwk,
 
   /var/log/firewalld rw,
 
   @{run}/firewalld/{,*} rw,
+  @{run}/modprobe.d/ r, # Maybe change to as in kmod,lspci?
+                        # @{run}/modprobe.d/{,*.conf} r,
   @{run}/xtables.lock rwk,
 
+        @{PROC}/cmdline r,
         @{PROC}/sys/kernel/modprobe r,
         @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pids}/net/ip_tables_names r,
 
+  @{sys}/module/compression r,
+  # Maybe change to as in systemd-modules-load?
+  # @{sys}/module/*/initstate r,
+  @{sys}/module/crc32c_generic/initstate r,
+  @{sys}/module/crc32c_intel/initstate r,
+  @{sys}/module/libcrc32c/initstate r,
+  @{sys}/module/nf_conntrack/initstate r,
+  @{sys}/module/nf_conntrack_tftp/initstate r,
+  @{sys}/module/nf_defrag_ipv{4,6}/initstate r,
+  @{sys}/module/nf_nat/initstate r,
+
   include if exists <local/firewalld>
 }
 
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 3239cd47..737531b4 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -106,6 +106,7 @@ fail2ban-server attach_disconnected,complain
 fdisk complain
 firewall-applet attach_disconnected,complain
 firewall-config complain
+firewalld attach_disconnected,complain
 flameshot complain
 flatpak attach_disconnected,mediate_deleted,complain
 flatpak-app attach_disconnected,mediate_deleted,complain