From 77a4e45be41e793922c669f16c4b90a62ad18a0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sun, 23 Jun 2024 02:04:34 +0200
Subject: [PATCH] Safeguard against reflect changes

---
 config/net/upstream.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/config/net/upstream.nix b/config/net/upstream.nix
index 5e30fdc..eedb53a 100644
--- a/config/net/upstream.nix
+++ b/config/net/upstream.nix
@@ -34,11 +34,15 @@ in
           destination = servHosts.public-access-proxy;
           proto = "tcp";
           sourcePort = 80;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         { # https
           destination = servHosts.public-access-proxy;
           proto = "tcp";
           sourcePort = 443;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         { # gemini
           destination = "${c3d2-web}:1965";
@@ -49,11 +53,15 @@ in
           destination = servHosts.knot;
           proto = "tcp";
           sourcePort = 53;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         {
           destination = servHosts.knot;
           proto = "udp";
           sourcePort = 53;
+          # this is the default but written here explicitly because we do ip based filtering
+          reflect = false;
         }
         {
           destination = dn42;