diff --git a/machines/cj/firewall.nix b/machines/cj/firewall.nix
index e01061a..9a30d97 100644
--- a/machines/cj/firewall.nix
+++ b/machines/cj/firewall.nix
@@ -7,13 +7,20 @@
     #8123  # home-assistant
     #3000  # gitea
     8081  # vaultwarden
-    80 443  # reverse proxy
+    # If we are reverse proxying we should map to a different port than 443 or
+    # 80. Here we blackhole those ports so that pihole will be more efficient.
+    # When pihole "blocks" a site, depending on configuration what it may really
+    # does is returns its own IP, so the client then requests the content from
+    # this node at whichever port it needs. That is usually 80 or 443 for http
+    # and https, so it's better to block these fast than to pass all that
+    # traffic to some actual service.
+    #80 443  # reverse proxy
   ];
   allowedUDPPorts = [
     22000 21027  # syncthing
     3478 5514 10001 1900 123 # unifi
     53  # pihole
-    80 443  # reverse proxy
+    #80 443  # reverse proxy
   ];
   allowedUDPPortRanges = [
     { from = 5656; to = 5699; }  # unifi