@def $git_ip4 = @resolve(git, A);
@def $git_ip6 = @resolve(git, AAAA);
@def $web_ip4 = @resolve(web, A);
@def $web_ip6 = @resolve(web, AAAA);
# git.higgsboson.tk points to web
# therefore DNAT port ssh back to git
domain (ip ip6) table nat chain PREROUTING daddr @ipfilter(($web_ip4 $web_ip6)) proto tcp dport ssh DNAT to @ipfilter(($git_ip4 $git_ip6));

&def_service(git, git, tcp, 9000);
&allow_service_for(git, web);
&allow_service_for(postgres, git);
&allow_service_for(ldap, git);

&def_service(git-ssh, git, tcp, 22);
&forward_to_service(git-ssh, tcp, 22);