---
zones:
  users-internet-allowed:
    files: [example.yaml]

  mgmt:
    addrs: [10.203.0.0/16]

  adm:
    addrs: [2a09:6840::/29, 10.128.0.0/16]

  internet:
    negate: true
    zones: [adm, mgmt]

# interne: negate KO

blacklist:
  enabled: true
  addr: [0.0.0.0]

reverse_path_filter:
  enabled: true

filter:
  input:
    - iif: lo
      verdict: accept

    - src: mgmt
      protocols:
        tcp:
          dport: [22, 240..242]
      verdict: accept

    - src: backbone
      protocols:
        ospf: true
        vrrp: true
        tcp:
            dport: [179]
      verdict: accept

    - protocols:
        icmp: true
      verdict: accept

  output:
    - verdict: accept

  forward:
    - src: interco-crans
      verdict: accept

    - src: users-internet-allowed
      protocols:
        tcp:
          dport: [25]
      verdict: drop

    - src: users-internet-allowed
      dest:
        addrs: [10.0.0.1]
        zones: [internet]
      verdict: accept

nat:
  - src:
      zones: [mgmt]
    snat:
      addr: 45.66.108.14
      persistent: true
...