diff --git a/firewall/config.go b/firewall/config.go
index 19d1b9c4..661e1f59 100644
--- a/firewall/config.go
+++ b/firewall/config.go
@@ -29,10 +29,10 @@ func registerConfig() error {
 	err := config.Register(&config.Option{
 		Name:           "Permanent Verdicts",
 		Key:            CfgOptionPermanentVerdictsKey,
-		Description:    "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.",
+		Description:    "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision in order to drastically increase performance.",
 		Order:          CfgOptionPermanentVerdictsOrder,
 		OptType:        config.OptTypeBool,
-		ExpertiseLevel: config.ExpertiseLevelExpert,
+		ExpertiseLevel: config.ExpertiseLevelDeveloper,
 		ReleaseLevel:   config.ReleaseLevelExperimental,
 		DefaultValue:   true,
 	})
diff --git a/firewall/interception.go b/firewall/interception.go
index 87675f73..a75eca91 100644
--- a/firewall/interception.go
+++ b/firewall/interception.go
@@ -288,7 +288,7 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 		err = pkt.RerouteToTunnel()
 	case network.VerdictFailed:
 		atomic.AddUint64(packetsFailed, 1)
-		fallthrough
+		err = pkt.Drop()
 	default:
 		atomic.AddUint64(packetsDropped, 1)
 		err = pkt.Drop()