{
	"groups": {
		"group:admin": ["davide"],
		"group:family": ["davide", "dario"],
		"group:services": ["services"],
		"group:external": []
	},
	"tagOwners": {
		"tag:web": ["group:admin"],
		"tag:dns": ["group:admin"],
		"tag:web": ["group:admin"],
		"tag:game": ["group:admin", "group:family"]
	},
	"acls": [
		// Family and admin should be able to access every service
		{
			"action": "accept",
			"src": ["group:admin", "group:family"],
			"dst": [
				"tag:web:*",
				"tag:dns:*",
				"tag:exitnode:*"
			]
		},
		// External can access only hosted games
		{
			"action": "accept",
			"src": ["group:external"],
			"dst": [
				"tag:game:*"
			]
		},
		// And possibly the DNS server (or we break their internet connection)
		{
			"action": "accept",
			"src": ["group:external"],
			"proto": "udp",
			"dst": [
				"tag:dns:53"
			]
		},
		// Web services should be able to make DNS queries
		{
			"action": "accept",
			"src": ["tag:web"],
			"proto": "udp",
			"dst": [
				"tag:dns:53"
			]
		},
		{
			"action": "accept",
			"src": ["group:family"],
			"dst": [
				"group:family:*"
			]
		}
	]
}