diff --git a/.gitignore b/.gitignore
index 6ca1317..cf4f630 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,2 @@
 /tcpcrypt-bb990b1bfb0e411f0613abdaf3b71fdce50a82cf.tar.gz
 /tcpcrypt-0.4.tar.gz
-/tcpcrypt-0.5.tar.gz
diff --git a/sources b/sources
index 6a603fb..b4cefa3 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (tcpcrypt-0.5.tar.gz) = aa7068e24c16449e84cc06450bbbac0a245df4f7883eef3c5cc10afb3592f194d42103d06e3e072ad997d09835545fa71bfecd57209ee45c07433f64fb6f0048
+b2d9f68a680ea4f4cd86c81fb6a813c0  tcpcrypt-0.4.tar.gz
diff --git a/tcpcrypt-firewalld.xml b/tcpcrypt-firewalld.xml
new file mode 100644
index 0000000..01ecbd0
--- /dev/null
+++ b/tcpcrypt-firewalld.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<direct>
+  <chain ipv="ipv4" table="raw" chain="tcpcrypt"/>
+  <rule ipv="ipv4" table="raw" chain="tcpcrypt" priority="0">
+    -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666</rule>
+  <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-j tcpcrypt</rule>
+
+  <chain ipv="ipv4" table="mangle" chain="tcpcrypt"/>
+  <rule ipv="ipv4" table="mangle" chain="tcpcrypt" priority="0">
+    -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666</rule>
+  <rule ipv="ipv4" table="mangle" chain="POSTROUTING" priority="0">-j tcpcrypt</rule>
+</direct>
diff --git a/tcpcrypt.spec b/tcpcrypt.spec
index 050228a..fd1acf1 100644
--- a/tcpcrypt.spec
+++ b/tcpcrypt.spec
@@ -3,25 +3,30 @@
 
 Summary: Opportunistically encrypt TCP connections
 Name: tcpcrypt
-Version: 0.5
-Release: 19%{?dist}
-# Automatically converted from old format: BSD - review is highly recommended.
-License: LicenseRef-Callaway-BSD
+Version: 0.4
+Release: 5%{?dist}
+Group: System Environment/Libraries
+License: BSD
 Url: http://tcpcrypt.org/
 Source0: http://tcpcrypt.org//%{name}-%{version}.tar.gz
 SOURCE1: tmpfiles-tcpcrypt.conf
 SOURCE2: tcpcryptd.service
 SOURCE3: tcpcryptd-firewall
+SOURCE4: tcpcrypt-firewalld.xml
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-BuildRequires: make
-BuildRequires:  gcc
 BuildRequires: openssl-devel libnetfilter_queue-devel libcap-devel
 BuildRequires: libnetfilter_conntrack-devel libpcap-devel
+%if %{snapshot}
 BuildRequires: libtool autoconf automake
+%endif
+
 BuildRequires: systemd
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
+Requires(pre): shadow-utils
+# we need to require it to install our file
+Requires: firewalld
 
 %description
 Provides a protocol that attempts to encrypt (almost) all of your
@@ -32,6 +37,7 @@ end does not support
 
 %package devel
 Summary: Development package that includes the tcpcrypt header files
+Group: Development/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description devel
@@ -39,42 +45,40 @@ The devel package contains the tcpcrypt library and the include files
 
 %package libs
 Summary: Libraries used by tcpcryptd server and tcpcrypt-aware applications
+Group: Applications/System
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
 
 %description libs
 Contains libraries used by tcpcryptd server and tcpcrypt-aware applications
 
 %prep
-%autosetup
-
-# Create a sysusers.d config file
-cat >tcpcrypt.sysusers.conf <<EOF
-u tcpcryptd - 'tcpcrypt daemon account' /var/run/tcpcryptd -
-EOF
+%setup -q
 
 %build
-sh bootstrap.sh
+%if %{snapshot}
+./bootstrap.sh
+%endif
 %configure --disable-static --disable-rpath
-%make_build
+make %{?_smp_mflags}
 
 %install
-%make_install
+make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install
 install -m 0755 %{SOURCE3} %{buildroot}/%{_bindir}
 rm %{buildroot}%{_libdir}/*.la
 mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d/ %{buildroot}/run/tcpcryptd
 install -D -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/tcpcrypt.conf
 mkdir -p %{buildroot}%{_unitdir}
 install -m 0755 %{SOURCE2} %{buildroot}/%{_unitdir}/tcpcryptd.service
-
-install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.conf
+# install firewalld policy needed for tracking and marking packets
+install -D -m 0644 %{SOURCE4} %{buildroot}/%{_prefix}/lib/firewalld/services/tcpcryptd.xml
 
 %files libs
-%doc README.markdown
-%license LICENSE
+%doc README.markdown LICENSE
 %{_libdir}/libtcpcrypt.so.*
 
 %files
-%doc README.markdown
-%license LICENSE
+%doc README.markdown LICENSE
 %{_bindir}/tcnetstat
 %{_bindir}/tcpcryptd
 %{_bindir}/tcpcryptd-firewall
@@ -82,16 +86,22 @@ install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.co
 %{_mandir}/man8/*
 %attr(0644,root,root) %{_tmpfilesdir}/tcpcrypt.conf
 %attr(0644,root,root) %{_unitdir}/tcpcryptd.service
+%attr(0644,root,root) %{_prefix}/lib/firewalld/services/tcpcryptd.xml
 %attr(0755,tcpcryptd,tcpcryptd) %dir /run/tcpcryptd
-%{_sysusersdir}/tcpcrypt.conf
 
 %files devel
 %{_libdir}/libtcpcrypt.so
 %dir %{_includedir}/tcpcrypt
 %{_includedir}/tcpcrypt/*.h
 
-%ldconfig_scriptlets libs
+%post libs -p /sbin/ldconfig
+%postun libs -p /sbin/ldconfig
 
+%pre
+getent group tcpcryptd >/dev/null || groupadd -r tcpcryptd
+getent passwd tcpcryptd >/dev/null || \
+useradd -r -g tcpcryptd -d /var/run/tcpcryptd -s /sbin/nologin \
+-c "tcpcrypt daemon account" tcpcryptd || exit 0
 
 %post
 %systemd_post tcpcryptd.service
@@ -103,73 +113,6 @@ install -m0644 -D tcpcrypt.sysusers.conf %{buildroot}%{_sysusersdir}/tcpcrypt.co
 %systemd_postun_with_restart tcpcryptd.service
 
 %changelog
-* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-19
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.5-18
-- Add sysusers.d config file to allow rpm to create users/groups automatically
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-17
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Wed Sep 04 2024 Miroslav Suchý <msuchy@redhat.com> - 0.5-16
-- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-15
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-14
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-13
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu Feb 23 2023 Eric Garver <eric@garver.life> - 0.5-12
-- remove bash-isms from tcpcryptd-firewall
-
-* Thu Feb 23 2023 Eric Garver <eric@garver.life> - 0.5-11
-- remove broken firewalld service definition
-
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.5-7
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.5-5
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Sun Aug 04 2019 Filipe Rosset <rosset.filipe@gmail.com> - 0.5-1
-- Update to 0.5 plus spec cleanup and modernization
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
diff --git a/tcpcryptd-firewall b/tcpcryptd-firewall
index 33d1075..e598db8 100755
--- a/tcpcryptd-firewall
+++ b/tcpcryptd-firewall
@@ -1,7 +1,20 @@
 #!/bin/sh
 
-# use iptables manually
-if [ "$1" = "start" ]
+# Check if we need to use firewalld or will handle rules directly with iptables
+
+
+systemctl status firewalld.service >/dev/null
+RETVAL=$?
+if [ $RETVAL  -eq 0 ]
+then
+   # use firewalld
+   firewall-cmd --reload
+   firewall-cmd --direct --get-rules ipv4 raw tcpcrypt
+   firewall-cmd --direct --get-rules ipv4 mangle tcpcrypt
+else
+   # use iptables manually
+
+if [ "$1" == "start" ]
 then
 	iptables -t raw -N tcpcrypt
 	iptables -t raw -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
@@ -13,7 +26,7 @@ then
  
 	# launch `tcpcryptd` with `-x 0x10`
 fi
-if [ "$1" = "stop" ]
+if [ "$1" == "stop" ]
 then
 	iptables -t raw -F tcpcrypt
 	iptables -t raw -D PREROUTING -j tcpcrypt
@@ -21,3 +34,5 @@ then
 	iptables -t mangle -F tcpcrypt
 	iptables -t mangle -D PREROUTING -j tcpcrypt
 fi
+
+fi