---
zones:
  - name: users-internet-allowed
    include:
      - rules.yaml
  - name: mgmt
    include:
      - 10.203.0.0/16
  - name: adm
    include:
      - 2a09:6840::/29
      - 10.128.0.0/16
  - name: internet
    exclude:
      - adm
      - mgmt

blacklist:
  enabled: true
  addr:
    - 0.0.0.0

reverse_path_filter:
  enabled: true

filter:
  input:
    - iif: lo
      verdict: accept
    - src: mgmt
      protocols:
        tcp:
          dport: "22,240..242"
      verdict: accept
    - src: backbone
      protocols:
        ospf: true
        vrrp: true
        tcp:
            dport: 179
      verdict: accept
    - protocols:
        icmp: true
      verdict: accept
  output:
    - verdict: accept
  forward:
    - src: interco-crans
      verdict: accept
    - src: users-internet-allowed
      tcp:
        dport: 25
      verdict: drop
    - src: users-internet-allowed
      dest:
        - internet
        - 10.0.0.1
      verdict: accept

nat:
  - src: mgmt
    snat:
      addr: 45.66.108.14
      persistent: true
...