From 5121f80f28d374d78bb3897a46fe924d750f4643 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun, 2 Nov 2025 06:00:24 -0500
Subject: [PATCH] comment

---
 .../rules.d/30_security-misc.conf#security-misc-shared       | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared b/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared
index 5e772db..7315d9d 100644
--- a/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared
+++ b/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared
@@ -1,6 +1,11 @@
 ## We allow devices that were plugged in before the daemon starts. Everything
 ## is blocked as the default. Following rules apply on top of this.
 
+## First match wins. Therefore, reject rules should be on the top.
+## Quote:
+## https://usbguard.github.io/documentation/rule-language
+## > the daemon scans the existing rules sequentially
+
 ## Explicitly reject any interface that is not documented and/or defined by
 ## USB.org.
 ## Note: Most probably superfluous.