diff --git a/config/etc/sf.conf b/config/etc/sf.conf
old mode 100755
new mode 100644
diff --git a/encfsd/Dockerfile b/encfsd/Dockerfile
old mode 100755
new mode 100644
diff --git a/encfsd/portd.sh b/encfsd/portd.sh
index ef08d65..a3225a7 100755
--- a/encfsd/portd.sh
+++ b/encfsd/portd.sh
@@ -154,9 +154,6 @@ cmd_getport()
 	local err
 	lid="$1"
 
-	# Add all LIDs that requested a reverse port fw to global set.
-	redr SADD "portd:req_port" "${lid}" >/dev/null
-
 	# Get a Port
 	# [PROVIDER] [PORT]
 	i=0
@@ -193,26 +190,41 @@ cmd_getport()
 
 }
 
-
 # Calld from cmd_remport
 # Exec in VPN context to deletion of ports.
 #
-# [PROVIDER] [<PORT> ...]
+# [PROVIDER] [LID] [<IPPORT> ...]
 remport_provider()
 {
+	local lid
 	local provider
-	provider="$1"
+	lid="$1"
+	provider="$2"
 
-	shift 1
+	shift 2
 	[[ ${#@} -lt 1 ]] && return
 
-	DEBUGF "PARAM-${#@} $*"
+	# DEBUGF "PARAM-${#@} $*"
 
-	docker exec "sf-${provider,,}" /sf/bin/rportfw.sh delports "$@"
+	# FIXME: Shall we rather queue the ports for deletion and delete them in
+	# bulk when we drop below WM_LOW?
+	# Otherwise curl is called every time an instance exits: An observer
+	# monitoring the VPN Provider _and_ the SF could correlate reverse port
+	# with user's IP.
+	# DELIPPORTS+=($@)
+	docker exec "sf-${provider,,}" /sf/bin/rportfw.sh delipports "$@"
+
+	# Delete from assgned-$provider list the specifuc IPPORT
+	local ipport
+	local members
+	for ipport in "$@"; do
+		members+=("${lid} ${ipport}")
+	done
+	redr SREM "portd:assigned-${provider}" "${members[@]}" >/dev/null
 }
 
 # Remove Ports from LID. Typically called when instance is terminated.
-# We never add ports back to the pool so that the same port
+# We never add ports back to the pool. This means that the same port
 # is less likely to be reused.
 #
 # The downside is that this causes a CURL request to the VPN provider
@@ -229,7 +241,6 @@ cmd_remport()
 	local provider
 
 	DEBUGF "CMD_REMPORT lid=$lid"
-	redr SREM "portd:req_port" "${lid}" >/dev/null
 
 	# Remove routing
 	# -> Dont need to. There is no harm leaving it.
@@ -254,12 +265,9 @@ cmd_remport()
 	done
 
 	# Delete ports for each provider
-	# FIXME: We could queue the ports up and then check every 15 minutes if we need to make
-	# a call to the VPN Provider.
-	# On the other hand we like to get rid of a Port as soon as possible.
-	remport_provider "CryptoStorm" "${c_ipports[@]}"
-	remport_provider "NordVPN" "${n_ipports[@]}"
-	remport_provider "Mullvad" "${m_ipports[@]}"
+	remport_provider "${lid}" "CryptoStorm" "${c_ipports[@]}"
+	remport_provider "${lid}" "NordVPN" "${n_ipports[@]}"
+	remport_provider "${lid}" "Mullvad" "${m_ipports[@]}"
 }
 
 # VPN provider goes UP.
@@ -306,11 +314,13 @@ cmd_vpndown()
 		# port forwards assigned to it.
 		# Remove Lid's key/value for this port forward.
 		red SREM "portd:assigned-${lid}" "${provider} ${ipport}" >/dev/null
-		value+=("${provider}")
+		value+=("${provider} ${ipport}")
 	done
 
 
-	# FIXME-2022: remote from SCARD portd:ports
+	# Remove from portd:ports
+	red SREM "portd:ports" "${value[@]}" >/dev/null
+
 	# Delete container files
 	rm -f "${files[@]}" &>/dev/null
 
@@ -342,11 +352,13 @@ cmd_fillstock()
 	local good
 	local ret
 	local req_num
+	local max_needed
 	while [[ $in_stock -lt $WM_HIGH ]]; do
 		unset good
+		max_needed=$((WM_HIGH - in_stock))
 
-		req_num=$(( (WM_HIGH - in_stock) / ${#arr[@]} + 1))
-		[[ $req_num -gt $WM_HIGH ]] && req_num="$WM_HIGH"
+		req_num=$(( $max_needed / ${#arr[@]} + 1))
+		[[ $req_num -gt $max_needed ]] && req_num="$max_needed"
 		for provider in "${arr[@]}"; do
 			members=($(docker exec "sf-${provider,,}" /sf/bin/rportfw.sh moreports "${req_num}"))
 			ret=$?
@@ -412,7 +424,7 @@ redis_loop_forever()
 		fi
 
 		# Check the fill stock every 60-70 seconds
-		[[ $((fillstock_last_sec + 6)) -lt $NOW ]] && { fillstock_last_sec="$NOW"; cmd_fillstock; }		
+		[[ $((fillstock_last_sec + 60)) -lt $NOW ]] && { fillstock_last_sec="$NOW"; cmd_fillstock; }		
 	done 
 }
 
diff --git a/guest/fs-root/sf/bin/sf-motd.sh b/guest/fs-root/sf/bin/sf-motd.sh
index 2b90fb8..b8f8d8e 100755
--- a/guest/fs-root/sf/bin/sf-motd.sh
+++ b/guest/fs-root/sf/bin/sf-motd.sh
@@ -30,7 +30,7 @@ if [[ -z $IS_VPN_CONNECTED ]]; then
 else
 	i=0
 	while [[ $i -lt ${#VPN_GEOIP[@]} ]]; do
-		str="${VPN_PROVIDER[$i]}                          "
+		str="Exit ${VPN_PROVIDER[$i]}                          "
 		VPN_DST+="${str:0:17} : "
 		str="${VPN_EXIT_IP[$i]}                 "
 		VPN_DST+="${CDG}${str:0:15}"
diff --git a/host/fs-root/bin/segfaultsh b/host/fs-root/bin/segfaultsh
index 78be3d2..cf8402b 100755
--- a/host/fs-root/bin/segfaultsh
+++ b/host/fs-root/bin/segfaultsh
@@ -235,7 +235,7 @@ mk_portforward()
 	ipport=$(echo -e "DEL portd:response-${LID}\"\n\
 RPUSH portd:blcmd \"getport ${LID}\"\n\
 BLPOP portd:response-${LID} 5" | REDISCLI_AUTH="${SF_REDIS_AUTH}" redis-cli --raw -h sf-redis) || return
-	DEBUGF "ipport='$ipport'"
+	# DEBUGF "ipport='$ipport'"
 	ipport="${ipport##*$'\n'}"
 	[[ ! "${ipport##*:}" -gt 0 ]] && { DEBUGF "Failed to set up Reverse Port Forward (ipport='$ipport')"; return; }
 
@@ -248,8 +248,8 @@ print_disclaimer()
 {
 	echo 1>&2 -e "\
 ${CR}######################################################################
-#### ${CY}DISCLAIMER: TO BE USED FOR CREATIVE AND GOOD PURPOSES ONLY..${CR} ####
-#### ${CY}USE AT YOUR OWN RISK.     ---> DON'T FUCK UP <---            ${CR}####
+#### ${CY}DISCLAIMER: TO BE USED FOR CREATIVE AND GOOD PURPOSES ONLY.. ${CR}####
+#### ${CY}TO TINKER AND TO EXPLORE.     >>>USE AT YOUR OWN RISK<<<     ${CR}####
 ######################################################################${CN}"
 }
 
diff --git a/sfbin/rportfw.sh b/sfbin/rportfw.sh
index 0de1d77..7048983 100755
--- a/sfbin/rportfw.sh
+++ b/sfbin/rportfw.sh
@@ -66,16 +66,18 @@ fw_del_byip()
 # Remove the Port Forward & FW rules for a list of ports.
 # Called from portd.sh when a container exited (by sf-destructor)
 #
-# [<PORT>...]
-cmd_delports()
+# [<IPPORT>...]
+cmd_delipports()
 {
+	local ipport
 	local r_port
 
 	[[ "${PROVIDER,,}" != "cryptostorm" ]] && return
 
-	DEBUGF "cmd_delports ${PROVIDER} '${*}'"
+	DEBUGF "cmd_delipports ${PROVIDER} '${*}'"
 
-	for r_port in "$@"; do
+	for ipport in "$@"; do
+		r_port="${ipport##*:}"
 		curl -fsSL --retry 3 --max-time 10 http://10.31.33.7/fwd "-ddelfwd=${r_port}"
 		fw_del "${r_port}"
 	done
@@ -167,11 +169,5 @@ shift 1
 
 [[ "$cmd" == fwport ]] && { cmd_fwport "$@"; exit; }
 [[ "$cmd" == moreports ]] && { cmd_moreports "$@"; exit; }
-[[ "$cmd" == delports ]] && { cmd_delports "$@"; exit; }     # [<PORT> ...]
-# [[ "$cmd" == fw_delip ]] && { fw_del_byip "$@"; exit; }            # [CONTAINER-IP]
+[[ "$cmd" == delipports ]] && { cmd_delipports "$@"; exit; }     # [<IPPORT> ...]
 [[ "$cmd" == fw_delall ]] && { fw_del_byip "10.11."; exit; }
-
-# what happens if multiple segfaultsh logging in and taking ips ... will this replentish
-# up to trashhold and what if max is reached (=5 on muvald)?
-
-# FIXME: work on vpn reconnecting and test it.
\ No newline at end of file
diff --git a/sfbin/vpn_wg2status.sh b/sfbin/vpn_wg2status.sh
index f8b7a08..e49ab30 100755
--- a/sfbin/vpn_wg2status.sh
+++ b/sfbin/vpn_wg2status.sh
@@ -148,7 +148,7 @@ DSTDIR="$(dirname "${LOGFNAME}")"
 source /check_vpn.sh
 wait_for_handshake "${DEV}" || { echo -e "Handshake did not complete"; exit 255; }
 
-check_vpn "${PROVIDER}" || { echo -e "VPN Check failed"; exit 255; }
+check_vpn "${PROVIDER}" "${DEV}" || { echo -e "VPN Check failed"; exit 255; }
 
 [[ "$OP" == "up" ]] && { up; exit; }