---
firewall__zones:
  adm-legacy:
    addrs:
      - 2a09:6840:128::/64
      - 10.128.0.0/16
  ups:
    addrs:
      - 2a09:6840:201::/64
      - 10.201.0.0/16
  back:
    addrs:
      - 2a09:6840:203::/64
      - 10.203.0.0/16
  monit:
    addrs:
      - 2a09:6840:204::/64
      - 10.204.0.0/16
  wifi:
    addrs:
      - 2a09:6840:205::/64
      - 10.205.0.0/16
  int:
    addrs:
      - 2a09:6840:206::/64
      - 10.206.0.0/16
  sw:
    addrs:
      - 2a09:6840:207::/64
      - 10.207.0.0/16
  bmc:
    addrs:
      - 2a09:6840:208::/64
      - 10.208.0.0/16
  pve:
    addrs:
      - 2a09:6840:209::/64
      - 10.209.0.0/16
  isp:
    addrs:
      - 2a09:6840:210::/64
      - 10.210.0.0/16
  ext:
    addrs:
      - 2a09:6840:211::/64
      - 10.211.0.0/16
  pub:
    addrs:
      - 2a09:6840:215::/64
      - 45.66.111.204/30
  vpn-clients:
    addrs:
      - 2a09:6840:212::/64
      - 10.212.0.0/16
  vpn:
    addrs:
      - 2a09:6840:213::/64
      - 10.213.0.0/16
  infra:
    zones:
      - adm-legacy
      - ups
      - back
      - monit
      - wifi
      - int
      - sw
      - bmc
      - pve
      - isp
      - ext
      - pub
      - vpn
  internet:
    negate: true
    addrs:
      - 2a09:6840::/32
      - 2a09:6841::/32
      - 2a09:6842::/32
      - 45.66.108.0/22
      - 10.0.0.0/8
      - 100.64.0.0/10
  prometheus.int:
    addrs:
      - 2a09:6840:204::1:1
      - 10.204.1.1
      - 2a09:6840:204::1:2
      - 10.204.1.2
  grafana.adm:
    addrs:
      - 2a09:6840:128::98
      - 10.128.0.98
  dns.int:
    addrs:
      - 2a09:6840:206::1:1
      - 10.206.1.1
      - 2a09:6840:206::1:2
      - 10.206.1.2
  ntp.int:
    addrs:
      - 2a09:6840:206::1:5
      - 10.206.1.5
      - 2a09:6840:206::1:6
      - 10.206.1.6
  docker-ovh.adm:
    addrs:
      - 2a09:6840:128::150
      - 10.128.0.150
  mx.test:
    addrs:
      - 2a09:6840:211::1:5
      - 45.66.111.205
      - 10.128.1.5
  proxy.pub:
    addrs:
      - 2a09:6840:214::1:1
      - 45.66.111.206

firewall__input:
  - iif:
      - back0 # FIXME link-local
      - vpn0
    verdict: accept
  - src:
      - back
      - vpn
    verdict: accept
  - src: monit
    protocols:
      tcp:
        dport: 9100
    verdict: accept
  - src: monit
    protocols:
      tcp:
        dport: 9324
    verdict: accept
  - protocols:
      icmp: true
    verdict: accept
  - protocols:
      tcp:
        dport: 22
    verdict: accept
  - verdict: drop

firewall__output:
  - verdict: accept

firewall__forward:
  - src: back
    dst: infra
    verdict: accept
  - src: infra # FIXME: temporary
    dst: internet
    verdict: accept
  - src: monit
    dst: bmc
    protocols:
      icmp: true
    verdict: accept
  - dst: mx.test
    protocols:
      icmp: true
    verdict: accept
  - dst: mx.test
    protocols:
      tcp:
        dport:
          - 25
          - 465
          - 993
    verdict: accept
  # SNMP
  - src: monit
    dst:
      - sw
      - ups
    protocols:
      udp:
        dport: 161
    verdict: accept
  # Alertmanager
  - src: monit
    dst: docker-ovh.adm
    protocols:
      tcp:
        dport: 9093
    verdict: accept
  - src: adm-legacy
    dst: bmc
    verdict: accept
  # Prometheus for Grafana
  - src: grafana.adm
    dst: prometheus.int
    protocols:
      tcp:
        dport: 9090
    verdict: accept
  # Admin VPN clients
  - src: vpn-clients
    dst: infra
    verdict: accept
  # Prometheus node
  - src: monit
    dst: infra
    protocols:
      tcp:
        dport: 9100
    verdict: accept
  # Prometheus bird
  - src: monit
    dst: back
    protocols:
      tcp:
        dport: 9324
    verdict: accept
  # Prometheus kresd
  - src: monit
    dst: dns.int
    protocols:
      tcp:
        dport: 8453
    verdict: accept
  # Allow DNS from infra to dns-{1,2}
  - src: infra
    dst: dns.int
    protocols:
      udp:
        dport: 53
    verdict: accept
  - src: infra
    dst: dns.int
    protocols:
      tcp:
        dport: 53
    verdict: accept
  # Allow NTP from infra to ntp-{1,2} 
  - src: infra
    dst: ntp.int
    protocols:
      udp:
        dport: 123
    verdict: accept
  # Admin Wireguard
  - dst:
      - 2a09:6840:211::1:1
      - 45.66.111.204
      - 10.211.1.1
    protocols:
      udp:
        dport: 5121
    verdict: accept
  # Proxy web
  - dst: proxy.pub
    protocols:
      tcp:
        dport:
          - 80
          - 443
    verdict: accept
  # ICMP to public vlan
  - dst: pub
    protocols:
      icmp: true
    verdict: accept

firewall__nat:
  - src: 10.0.0.0/8
    dst: internet
    protocols: null
    snat:
      addr: 45.66.111.200/32
  #- src: monit
  #  dst: adm-legacy
  #  protocols: null
  #  snat:
  #    addr: 10.203.1.3/32
...