body server control
{
    any::
        allowconnects         => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
        allowallconnects      => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
        trustkeysfrom         => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
        maxconnections        => "200";
        denybadclocks         => "false";
        # last single quote in cfruncommand is left open, so that
        # arguments (like -K and --remote-bundles) are properly appended.
        cfruncommand => "$(def.cf_runagent_shell) -c \'
                             $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path)  ;
                             $(sys.cf_agent) -I -D cfruncommand";
    !policy_server::
        allowusers            => { "root" };
}

bundle server access_rules()
{
    access:
        any::
            "$(sys.masterdir)"
                shortcut => "masterfiles",
                admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
            "$(sys.masterdir)/modules"
                shortcut => "modules",
                admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
            "/bin/sh"
                admit => { "$(sys.policy_hub)" };
    roles:
        any::
            ".*" authorize => { "root" };
}