From 4bf7f9a76bbcf66f329676477a5ef76cf7be1cea Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <git@bitsofnetworks.org>
Date: Mon, 10 Feb 2025 22:37:55 +0100
Subject: [PATCH] Update firewall config to avoid timeouts and avoid spamming
 logs

---
 nix/deuxfleurs.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 1b9ae3d..43e8c91 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -421,6 +421,12 @@ in
         cfg.wireguardPort
       ];
 
+      # Don't spam logs with refused connections
+      logRefusedConnections = false;
+
+      # Use REJECT instead of DROP, to avoid timeouts (e.g. when trying to connect to the wrong SSH port)
+      rejectPackets = true;
+
       # Allow specific hosts access to specific things in the cluster
       extraCommands = ''
         # Allow UDP packets comming from port 1900 from a local address,