table inet firewall {

	set dmz_whitelist_web{
		# helper set to quickly add a web server to the whitelist
		type ipv4_addr
		elements = {
			# jarvis (librenms)
			193.54.193.11,
			# fafnir (passbolt)
			193.54.193.23,
			# thor (re2o)
			193.54.193.25,
			# urdarbrunn (wiki)
			193.54.193.26,
			# loki (contrôleur de bornes)
			193.54.193.27,
			# brokkr (gitlab)
			193.54.193.31,
			# verdandi (icinga)
			193.54.193.33,
		}
	}

	set dmz_whitelist_tcp {
		type ipv4_addr . inet_service
		elements = {
			# frigg (radius)
			193.54.193.20 . 1812,
			193.54.193.20 . 1813,
		}
	}

	set dmz_whitelist_udp {
		type ipv4_addr . inet_service
		elements = {
			# frigg (radius)
			193.54.193.20 . 1812,
			193.54.193.20 . 1813,
		}
	}

	chain to_dmz {
		ip daddr @dmz_whitelist_web tcp dport {http, https} accept
		ip daddr . tcp dport @dmz_whitelist_tcp accept
		ip daddr . udp dport @dmz_whitelist_udp accept
		counter log prefix "Invalid access to dmz:" drop
	}

	chain from_dmz {
		accept
	}

}