23.5 normal {{HOSTNAME}} {{DOMAIN}} 9.9.9.9 1.1.1.1 149.112.112.112 0 Etc/UTC {{NTP_SERVERS}} https 8443 2 0 0 0 webgui-cert-ref 1 20 1b4f2d; 1 1 1 hadp hadp hadp monthly 0 enabled 22 enabled 1 115200 serial 1 admin user admins $2y$10$REPLACE_BCRYPT_HASH 0 user-shell-access CHANGE_ME_BASE64_SSH_PUBKEY 2027-12-31 Platform admin - MFA required via TOTP admins System administrators system 1999 page-all {{WAN_IF}} WAN 1 1 1 {{WAN_IP}} 30 WAN_GW 1500 {{LAN_IF}} LAN 1 {{LAN_NET_FIRST_IP}} 24 {{DMZ_IF}} DMZ 1 {{DMZ_NET_FIRST_IP}} 24 {{GUEST_IF}} GUEST 1 {{GUEST_NET_FIRST_IP}} 24 ADMIN_NET network

{{ADMIN_SUBNET}}

Approved admin source networks RFC1918 network

10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

All RFC1918 space SIEM host

{{SYSLOG_SERVER}}

Central syslog / SIEM DNS_UPSTREAM host

9.9.9.9 1.1.1.1 149.112.112.112

Approved upstream resolvers BOGON_EGRESS_BLOCK network

0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 224.0.0.0/4 240.0.0.0/4

Never allow egress to these MGMT_TCP port

22 8443 161

Admin ports - never expose to WAN block wan any BOGON_EGRESS_BLOCK Drop bogons at WAN ingress 1 block wan any RFC1918 Drop RFC1918 arriving at WAN 1 block lan tcp lan MGMT_TCP Block LAN clients hitting firewall admin unless in ADMIN_NET 1 pass lan any ADMIN_NET lan MGMT_TCP Admin sources may reach firewall admin pass lan udp lan

DNS_UPSTREAM

53 LAN to approved DNS only block lan udp lan 53 Block DNS to any other server (prevent bypass) 1 pass lan tcp lan 80 443 Standard web egress block lan any opt2 LAN cannot reach GUEST 1 block lan any opt1 LAN cannot initiate to DMZ (DMZ is published via NAT) 1 pass opt2 udp opt2

DNS_UPSTREAM

53 Guest DNS to upstream resolvers pass opt2 tcp opt2 80 443 Guest web egress block opt2 any RFC1918 Guest cannot reach any RFC1918 except own subnet 1 pass opt1 udp opt1

DNS_UPSTREAM

53 DMZ DNS block opt1 any opt1 lan DMZ cannot reach LAN 1 hybrid lan wan Outbound NAT LAN opt1 wan Outbound NAT DMZ opt2 wan Outbound NAT Guest 1 {{LAN_NET_DHCP_FROM}} {{LAN_NET_DHCP_TO}} 3600 7200 {{LAN_NET_FIRST_IP}} {{LAN_NET_FIRST_IP}} 0 1 {{GUEST_NET_DHCP_FROM}} {{GUEST_NET_DHCP_TO}} 3600 7200 1.1.1.1 9.9.9.9 {{GUEST_NET_FIRST_IP}} 53 lan,opt1,opt2 wan transparent 1 1 1 1 server: harden-below-nxdomain: yes harden-referral-path: yes harden-glue: yes harden-dnssec-stripped: yes hide-identity: yes hide-version: yes prefetch: yes prefetch-key: yes qname-minimisation: yes use-caps-for-id: yes aggressive-nsec: yes deny-any: yes 500 {{SYSLOG_SERVER}}:514 ipv4 1 1 1 1 1 512000 7 1 {{SNMP_LOCATION}} netops@{{DOMAIN}} REPLACE_WITH_V3 0 SNMP v1/v2c disabled - use v3 via package 1 1