---
zones:
  users-internet-allowed:
    file: examples/infra_included.yaml

  mgmt:
    addrs: 10.203.0.0/16

  adm:
    addrs: [2a09:6840::/29, 10.128.0.0/16]

  internet:
    negate: true
    zones: [adm, mgmt]

  interco-crans:
    addrs: 10.0.0.1/32


blacklist:
  blocked: adm


reverse_path_filter:
  interfaces: back0


filter:
  input:
    - iif: lo
      verdict: accept

    - src: adm
      protocols:
        icmp: true
        ospf: true
        vrrp: true
      verdict: accept

    - src: adm
      protocols:
        tcp:
          dport: 179
      verdict: accept

    - src: mgmt
      protocols:
        tcp:
          dport: [22, 240..242]
      verdict: accept

    - protocols:
        icmp: true
      verdict: accept

  output:
    - verdict: accept


  forward:
    - src: interco-crans
      verdict: accept

    - src: users-internet-allowed
      protocols:
        tcp:
          dport: [25]
      verdict: drop

    - src: users-internet-allowed
      # dest: [10.0.0.1, internet]
      verdict: accept

# TODO: Nat translation
#
# nat:
#   - src: mgmt
#     snat:
#       addr: 45.66.108.14
#       persistent: true
...