sample_mixed_gce.pol

#
# This is an example inet6 (i.e IPv6) policy for capirca
# Target defaults to INGRESS is not specified in the header
#
header {
  comment:: "this is a sample policy to generate GCE filter"
  target:: gce global/networks/default mixed
}

term test-ssh-mixed {
  comment:: "Allow SSH access from Server and Company with mixed addresses."
  source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
  protocol:: tcp
  destination-port:: SSH
  action:: accept
}

term test-ssh-v6 {
  comment:: "Allow SSH access from IPv6 server."
  source-address:: PUBLIC_IPV6_SERVERS
  protocol:: tcp
  destination-port:: SSH
  action:: accept
}

term test-ssh-v4 {
  comment:: "Allow SSH access to all instances from company."
  source-address:: PUBLIC_NAT
  protocol:: tcp
  destination-port:: SSH
  action:: accept
}

term test-multiple-protocols {
  comment:: "Allow high port access from a public IPv6 server."
  source-address:: PUBLIC_IPV6_SERVERS
  protocol:: tcp udp
  destination-port:: HIGH_PORTS
  action:: accept
}

term test-multiple-protocols-tcp-icmpv6 {
  comment:: "Allow all tcp and icmpv6 from IPv6 Server."
  source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
  protocol:: tcp icmpv6
  action:: accept
}

term test-multiple-protocols-tcp-icmp {
  comment:: "Allow all tcp and icmp."
  source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
  protocol:: tcp icmp
  action:: accept
}

term test-multiple-protocols-tcp-icmpv6-v6-only {
  comment:: "Allow all tcp and icmpv6."
  source-address:: PUBLIC_IPV6_SERVERS
  protocol:: tcp icmpv6
  action:: accept
}

term test-multiple-protocols-tcp-icmp-v4-only {
  comment:: "Allow all tcp and icmp."
  source-address:: PUBLIC_NAT
  protocol:: tcp icmp
  action:: accept
}

term test-web {
  comment:: "Allow HTTP/S to instances with webserver tag and any IPs."
  source-tag:: webserver
  source-address:: ANY_MIXED
  protocol:: tcp
  destination-port:: HTTP
  destination-tag:: other-webserver
  action:: accept
}

term test-web-tag-only {
  comment:: "Allow HTTP/S to instances with webserver tag only."
  source-tag:: webserver
  protocol:: tcp
  destination-port:: HTTP
  destination-tag:: other-webserver
  action:: accept
}

term test-web-tag-v4-only {
  comment:: "Allow HTTP/S to instances with webserver tag."
  source-address:: ANY
  source-tag:: webserver
  protocol:: tcp
  destination-port:: HTTP
  destination-tag:: other-webserver
  action:: accept
}

term test-icmp {
  comment:: "Allow ICMP from company."
  source-address:: PUBLIC_NAT
  protocol:: icmp
  action:: accept
}

term test-icmpv6 {
  comment:: "Allow ICMPv6 from IPv6 server."
  source-address:: PUBLIC_IPV6_SERVERS
  protocol:: icmpv6
  action:: accept
}

term test-igmp {
  comment:: "Allow IGMP from server and company with mixed addresses."
  source-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
  protocol:: igmp
  action:: accept
}

term default-deny {
  action:: deny
}

#
# Sample EGRESS policy
# If source-tag is included, it maps to targetTags in the GCP Egress rule
#
header {
  comment:: "this is a sample policy to generate EGRESS GCE filter"
  target:: gce EGRESS global/networks/default mixed
}

term test-egress-address {
  comment:: "Outbound to Server with mixed addresses."
  protocol:: tcp
  destination-port:: SMTP
  destination-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
  action:: accept
}

term test-egress-tag {
  comment:: "Outbound to Server with tag."
  protocol:: tcp
  destination-port:: SSH
  destination-address:: PUBLIC_IPV6_SERVERS PUBLIC_NAT
  source-tag:: webserver
  action:: accept
}

term test-egress-tag-v4-only {
  comment:: "Outbound to RFC1918."
  protocol:: tcp
  destination-port:: SSH
  destination-address:: RFC1918
  source-tag:: webserver
  action:: accept
}

term test-egress-tag-v6-only {
  comment:: "Outbound to IPv6 Server."
  protocol:: tcp
  destination-port:: SSH
  destination-address:: PUBLIC_IPV6_SERVERS
  source-tag:: webserver
  action:: accept
}

term egress-default-deny {
  action:: deny
}