From c58a7da25778868811e78a6f25a463bf8fdc1471 Mon Sep 17 00:00:00 2001
From: Rui Quintino <rquintino@users.noreply.github.com>
Date: Wed, 20 Aug 2025 23:17:44 +0100
Subject: [PATCH 1/2] add Explicit REJECT

Allows for immediate (~20ms) for any blocked call instead of long timeout
---
 .devcontainer/init-firewall.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.devcontainer/init-firewall.sh b/.devcontainer/init-firewall.sh
index b126dd98..aa018725 100644
--- a/.devcontainer/init-firewall.sh
+++ b/.devcontainer/init-firewall.sh
@@ -113,6 +113,9 @@ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # Then allow only specific outbound traffic to allowed domains
 iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
 
+# Explicitly REJECT all other outbound traffic for immediate feedback
+iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+
 echo "Firewall configuration complete"
 echo "Verifying firewall rules..."
 if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then

From 2b46e473600b2b45cd02c3734cb3acbc81e24013 Mon Sep 17 00:00:00 2001
From: Rui Quintino <rquintino@users.noreply.github.com>
Date: Wed, 20 Aug 2025 23:41:38 +0100
Subject: [PATCH 2/2] update to icmp-admin-prohibited

makes more sense for the intended usage
---
 .devcontainer/init-firewall.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.devcontainer/init-firewall.sh b/.devcontainer/init-firewall.sh
index aa018725..062fcfdb 100644
--- a/.devcontainer/init-firewall.sh
+++ b/.devcontainer/init-firewall.sh
@@ -114,7 +114,7 @@ iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
 
 # Explicitly REJECT all other outbound traffic for immediate feedback
-iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
 
 echo "Firewall configuration complete"
 echo "Verifying firewall rules..."