firewall/examples/infra.yaml

---
zones:
  users-internet-allowed:
    file: examples/infra_included.yaml

  mgmt:
    addrs: 10.203.0.0/16

  adm:
    addrs: [2a09:6840::/29, 10.128.0.0/16]

  internet:
    negate: true
    zones: [adm, mgmt]


blacklist:
  blocked: adm


reverse_path_filter:
  interfaces: back0


filter:
  input:
    - src: internet
      dst: gitea
      protocols:
        tcp:
          dport: 22
      verdict: accept

    - iif: lo
      verdict: accept

    - src: mgmt
      protocols:
        tcp:
          dport: [22, 240..242]
      verdict: accept

#
    # - src: backbone
      # protocols:
        # ospf: true
        # vrrp: true
        # tcp:
            # dport: [179]
      # verdict: accept
#
    # - protocols:
        # icmp: true
      # verdict: accept
#
  # output:
    # - verdict: accept
#
  # forward:
    # - src: interco-crans
      # verdict: accept
#
    # - src: users-internet-allowed
      # protocols:
        # tcp:
          # dport: [25]
      # verdict: drop
#
    # - src: users-internet-allowed
      # dest: [10.0.0.1, internet]
      # verdict: accept
#
# nat:
  # - src: mgmt
    # snat:
      # addr: 45.66.108.14
      # persistent: true
...
chore: Add examples 2023-08-27 22:32:54 +02:00			`---`
			`zones:`
			`users-internet-allowed:`
			`file: examples/infra_included.yaml`

			`mgmt:`
			`addrs: 10.203.0.0/16`

			`adm:`
			`addrs: [2a09:6840::/29, 10.128.0.0/16]`

			`internet:`
			`negate: true`
			`zones: [adm, mgmt]`


			`blacklist:`
			`blocked: adm`


			`reverse_path_filter:`
			`interfaces: back0`


			`filter:`
			`input:`
			`- src: internet`
			`dst: gitea`
			`protocols:`
			`tcp:`
			`dport: 22`
			`verdict: accept`

			`- iif: lo`
			`verdict: accept`

			`- src: mgmt`
			`protocols:`
			`tcp:`
			`dport: [22, 240..242]`
			`verdict: accept`

			`#`
			`# - src: backbone`
			`# protocols:`
			`# ospf: true`
			`# vrrp: true`
			`# tcp:`
			`# dport: [179]`
			`# verdict: accept`
			`#`
			`# - protocols:`
			`# icmp: true`
			`# verdict: accept`
			`#`
			`# output:`
			`# - verdict: accept`
			`#`
			`# forward:`
			`# - src: interco-crans`
			`# verdict: accept`
			`#`
			`# - src: users-internet-allowed`
			`# protocols:`
			`# tcp:`
			`# dport: [25]`
			`# verdict: drop`
			`#`
			`# - src: users-internet-allowed`
			`# dest: [10.0.0.1, internet]`
			`# verdict: accept`
			`#`
			`# nat:`
			`# - src: mgmt`
			`# snat:`
			`# addr: 45.66.108.14`
			`# persistent: true`
			`...`