diff --git a/hosts/modules/services/rsync-net/default.nix b/hosts/modules/services/rsync-net/default.nix
index 9dba3eae1..cf634bd43 100644
--- a/hosts/modules/services/rsync-net/default.nix
+++ b/hosts/modules/services/rsync-net/default.nix
@@ -39,11 +39,20 @@ in
       serviceConfig.Restart = "no";
       serviceConfig.User = "colin";
 
-      # hardening
       serviceConfig.AmbientCapabilities = [
         # needs to be able to read files owned by any user
         "CAP_DAC_READ_SEARCH"
       ];
+      serviceConfig.RestrictNetworkInterfaces = [
+        # strictly forbid sending traffic over any non ethernet/wifi interface,
+        # because i don't want this e.g. consuming all my cellular data.
+        # TODO: test this. i don't know that the moby kernel/systemd actually supports these options
+        "lo"  # for DNS
+        "eth0"
+        "wlan0"
+      ];
+
+      # hardening
       serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
       serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs;
       serviceConfig.ReadOnlyPaths = "/nix/persist/private";
diff --git a/hosts/modules/services/rsync-net/sane-backup-rsync-net b/hosts/modules/services/rsync-net/sane-backup-rsync-net
index 6cb9772de..89b92b8e2 100755
--- a/hosts/modules/services/rsync-net/sane-backup-rsync-net
+++ b/hosts/modules/services/rsync-net/sane-backup-rsync-net
@@ -26,9 +26,9 @@ for dir in "$@"; do
   echo "syncing '$dir' to '$remote_dir'"
   echo "$now" > "$dir"/zzz-rsync-net/last-attempted
   # N.B.: manual flags instead of `-a -> -rlptgoD` because device files have a max path length which is too restricted
-  # if SANEBOX_PREPEND="--sanebox-disable" \
-  if SANEBOX_PREPEND="--sanebox-cap dac_read_search --sanebox-path $RN_ID" \
-    sane-vpn do unmetered -- \
+  # TODO: add `sane-vpn do unmetered --`, after fixing pasta/sane-vpn to preserve capabilities + not create a new user namespace unconditionally.
+  # until then, don't run over cellular!
+  if SANEBOX_PREPEND="--sanebox-method landlock --sanebox-cap dac_read_search --sanebox-path $RN_ID" \
     rsync --exclude="$RN_ID" -e "ssh -i $RN_ID" --mkpath -rlptgov --delete "$dir" "$remote_dir"; \
   then
     echo "$now" > "$dir"/zzz-rsync-net/last-completed