diff --git a/THOUGHTS.txt b/THOUGHTS.txt
index 4577f8b..b035a03 100644
--- a/THOUGHTS.txt
+++ b/THOUGHTS.txt
@@ -6969,7 +6969,7 @@ Sun Feb  2 20:59:56 GMT 2025
 
 What's the smallest first step?
 
- - how can we make firewallgen output sets (or could we
+ - [done] how can we make firewallgen output sets (or could we
    make the firewall service tack them on afterwards)
 
  - make a longrun that watches its own zones output and updates the
@@ -6981,3 +6981,34 @@ whether you made the zone sets; (2) whether your rules use
 them. Conclusion: if you supply `rules` then you also have to say
 whether you want the longrun or not. So add a param
 watchForInterfaceUpdates which defaults true
+
+Mon Feb  3 21:12:55 GMT 2025
+
+the thing that updates sets has to know they exist, so the interface watcher
+service must live in the firewall module
+
+the firewall service defn should return the firewall service after
+adding the interface watcher as a dependency of it. Or: the watcher
+should make the sets and then the firewall service could depend on _it_.
+That would mean that the firewall service would fail if it used sets
+that the watcher didn't make, is that good or bad or indifferent?
+
+the interface services have to know about the watcher as well in order
+to write into its outputs, so it can't be hidden inside the module
+
+maybe the watcher service should _be_ the firewall service.
+
+we could add a "notify" param to an interface which would be an output
+reference to (the firewall service / zones / lan ) that the interface would
+write its ifname into when the service is up
+
+Wed Feb  5 00:14:29 GMT 2025
+
+another thought: the firewall service could have params to say
+which interface services are in which zones
+
+we'd have to ensure that the interface services did not end up as
+dependencies of the firewall
+
+then the firewall could watch each interface service for the ifname
+output and add it to the right zone