Changes

/cc @lelutin
anarcat · 8773d85b
--- a/doc/ssh-jump-host.md
+++ b/doc/ssh-jump-host.md
@@ -74,6 +74,26 @@ specify a `git@` user in your git remotes, but it's a good practice
 nevertheless to catch those scenarios where that might have been
 forgotten.

+# When not to use the jump host
+
+If you're going to do a *lot* of batch operations on all hosts (for
+example with [Cumin](howto/cumin)), you definitely want to add yourself to the
+[adding yourself to the allow list](howto/puppet#adding-an-ip-address-to-the-global-allow-list) so that you can *skip* using
+the jump host.
+
+For this, anarcat uses a special `trusted-network` command that fails
+unless the network is on that allow list. Therefore, the above jump
+host exception list becomes:
+
+    # use jump host if the network is not in the trusted whitelist
+    Match host *.torproject.org, !host ssh.torproject.org, !host ssh-dal.torproject.org, !host ssh-fsn.torproject.org, !host people.torproject.org, !host gitlab.torproject.org, !exec trusted-network
+      ProxyJump anarcat@ssh-dal.torproject.org
+
+The [`trusted-network` command](https://gitlab.com/anarcat/scripts/-/blob/3f3f024b9b2cbd0a32687727be7b26c8594ef933/trusted-network) checks for the default gateway on
+the local machine and checks if it matches an allow list. It could
+also just poke at the internet to see "what is my IP address", like
+<https://check.torproject.org/>...
+
 # Sample configuration

 Here is a redacted copy of anarcat's `~/.ssh/config` file: