service:ftp-command = tcp 21;
service:ftp-passive-data = tcp 1024-65535, stateless;
service:ftp-active-data = tcp 20:1024-65535, stateless, reversed;
servicegroup:ftp-passive = service:ftp-command, service:ftp-passive-data;
servicegroup:ftp-active = service:ftp-command, service:ftp-active-data;
servicegroup:ftp-all = 
 service:ftp-command, service:ftp-passive-data, service:ftp-active-data;
 
service:tftp-request= udp 69, oneway;
service:tftp-server-answer = udp 1024-65535, stateless, reversed, oneway;
service:tftp-client-answer = udp 1024-65535, stateless, oneway;
servicegroup:tftp = 
	service:tftp-request, 
	service:tftp-server-answer, 
	service:tftp-client-answer;
 
service:traceroute-request = udp 33524-65535, oneway;
service:time-exceeded-answer = icmp 11, reversed, src_path, src_net;
servicegroup:traceroute = 
	service:traceroute-request, 
	service:time-exceeded-answer;
 
service:netz-ping-out = icmp 8, src_net, dst_net;
service:netz-pong-in = icmp 0, src_net, dst_net, reversed;
service:netz-ping-in = icmp 8, src_net, dst_net, reversed;
service:netz-pong-out = icmp 0, src_net, dst_net;
servicegroup:netz-ping-in-out = 
	service:netz-ping-out, 
	service:netz-pong-in, 
	service:netz-ping-in, 
	service:netz-pong-out;

network:n1 = { ip = 10.1.1.0/24; }
router:stateless = { 
 managed;
 model = IOS;
 interface:n1 = { ip = 10.1.1.1; hardware = eth0; }
 interface:n2 = { ip = 10.2.2.1; hardware = eth1; }
}
network:n2 = { ip = 10.2.2.0/24; }
router:stateful = {
 managed;
 model = IOS, FW;
 interface:n2 = { ip = 10.2.2.2,10.2.2.99; hardware = eth0; }
 interface:nu = { unnumbered; hardware = serial0; }
}
network:nu = { unnumbered; }
router:unmanaged = {
 interface:nu;
 interface:n3 = { ip = 10.3.3.1; hardware = outside; }
}
network:n3 = { ip = 10.3.3.0/24; host:server = { ip = 10.3.3.3; } }

policy:test = {
 user = network:n1;
 permit src = user; dst = host:server; srv = servicegroup:ftp-all,
					     #servicegroup:tftp,
					     #servicegroup:traceroute,
					     #servicegroup:netz-ping-in-out,
					     ;
}
