---
zones:
  users-internet-allowed:
    file: examples/infra_included.yaml

  mgmt:
    addrs: 10.203.0.0/16

  adm:
    addrs: [2a09:6840::/29, 10.128.0.0/16]

  internet:
    negate: true
    zones: [adm, mgmt]


blacklist:
  blocked: adm


reverse_path_filter:
  interfaces: back0


filter:
  input:
    - src: internet
      dst: gitea
      protocols:
        tcp:
          dport: 22
      verdict: accept

    - iif: lo
      verdict: accept

    - src: mgmt
      protocols:
        tcp:
          dport: [22, 240..242]
      verdict: accept

#
    # - src: backbone
      # protocols:
        # ospf: true
        # vrrp: true
        # tcp:
            # dport: [179]
      # verdict: accept
#
    # - protocols:
        # icmp: true
      # verdict: accept
#
  # output:
    # - verdict: accept
#
  # forward:
    # - src: interco-crans
      # verdict: accept
#
    # - src: users-internet-allowed
      # protocols:
        # tcp:
          # dport: [25]
      # verdict: drop
#
    # - src: users-internet-allowed
      # dest: [10.0.0.1, internet]
      # verdict: accept
#
# nat:
  # - src: mgmt
    # snat:
      # addr: 45.66.108.14
      # persistent: true
...