The Apple TV series Mythic Quest had an episode in which the game found it had an extreme right wing problem. Their solution was to corral the right wingers in a server where they could shout at each other and fight as much as they wanted without bothering other players.

The Fediverse, running, as it does, largely on free software, came about in part due to Twitter and other platforms' unwillingness or inability to deal with an extreme right wing problem. However, as it's free and open source software, the bad actors were also free to create their own instances and interact. The response was filtering, blocking and defederation.

If you run a Mastodon, or other Fediverse social media instance, even if it's for yourself, it's one of the most powerful tools you have. You can filter hashtags, users and whole instances both personally and globally.

Lists have developed over the years along with the tools to apply them, but they have often been personal efforts. The hashtag can also be used, but it's something of a blunt instrument and is too easily hijacked for personal opinions and even feuds.

The current attempt to deal with this in an effective way is the Oliphant.social blocklist files, created through a consensus of ten of the most active fediverse instances This produces a collection of blocklists that can be applied as an administrator sees fit. Follow the instructions there to download, maintain and apply them. At the moment I apply the Tier 0 blocklist.

In addition, Ro Iskinda's The Bad Space collects the most commonly reported bad actors and new ones that appear, and can be used with an API to check if you encounter a doubtful user or instance.

I got my first Android phone, a Moto Droid, in 2010. It's wasn't my first smartphone as that had been a quest with varying degrees of success for years (I still miss the Nokia E series keyboard phones a bit).

Among the things installed on it was Facebook. Even then I was suitably suspicious so wanted to remove it, except I couldn't without rooting as it was a system app, and this was the awful wrapper-around-the-website version. However, being a system app, it still had full access to your phone. Which was nice.

However, by 2010 it had been being installed for a few years, if not as native app, as phone provider bloatware, and I think this was a major contributor to Facebook's takeup. You took your phone out of its box, went through the welcome screens and there it was. You could sign up and you could speak your brains to your heart's content.

I think this was as important a change in Internet culture as Microsoft putting an icon on the Windows 95 desktop labelled 'The Internet'. No, wait, come back.

Large scale social networks were not a new thing when Facebook went global. Friends Reunited created networks based on school connections in the late 90s. Six Degrees, Livejournal, Friendster, Myspace, Orkut all came and went to varying degrees. Google tried and couldn't get it to work, even when betting the farm on it. In that context, Facebook survived and persisted by learning continually, starting with putting the icon on your desktop/phone screen.

It annoys me that I have to keep a Facebook presence, for a few friends and that the parents of my daughter's school use it for messaging, but it and WhatsApp are the lowest common denominators for messaging, but I've handed that off to a bridge - I'm testing Beeper, but could fall back to Matrix bridges (same thing, self hosted) if it doesn't work out.

Of course, this is little compared to having a whole device under your control, especially when Google has now seemingly decided that it doesn't believe in the open Internet any more.

I'm not going to say 'this is what you should do' on this blog at any time, but I am going to say 'this is what I'm going to do'. I've been online for nearly 30 years, nothing compared to some people, and one of the compelling things about the Internet for me is interoperability. Walled gardens always become overgrown, and when someone decides to effectively turn one inside out, then it's time to do some weeding (yes, I'm prone to that sort of hyperbole, sorry).

I deal with a number of clients in the legal profession, and this morning one of them forwarded me an email which he thought was suspicious. It appeared to be sent from a Rob Moore at a company called Progressive Property, and the body of the mail was this:

Good Afternoon,

I hope you are having a good weekend

I am instructed to deal with your firm for the purchase of a property, we are real estate company acting on behalf my clients .

The Executors appointed were her husband (predeceased) and another firm of solicitors who have renounced. The beneficiaries are the children, Tania Beaumont and Catherine Ried. They are applying for the Grant of Probate as residuary beneficiaries and therefore acting as Executors.

Please can you contact them to give a quote. They are happy to keep this probate sale with us.

Let me know when informations you need, they are looking to market the property around £3.25m.

Please can you copy in Tania’s husband into correspondence, his name is Peter Beaumont and he is very helpful.

A couple of GMail addresses and a plausible looking footer, except there was no From: address (not necessary of course, but generally expected), and a footer which included the logo of Progressive Property and the email rob@progresssiveproperty.com, and a legal disclaimer footer of the type that every legal firm has, except again, on a quick search the company it purported to be from didn't match anything else and the address didn't match the company at all

Yes, three s's. On additional readings the body of the mail looks increasingly like a 419 scam every time you read it, and the domain name returns Cloudflare records and a Microsoft Exchange login page.

It occurred to me to look up Progressive Property and of course there's a successful UK company called and Rob Moore is one of the founders. Obviously they're in no way related to this scam but it was increasingly understandable how much trust this could create, and it was clearly aimed at a particular business sector.

I have a virtual OPNSense router as the gateway to a production network based on Proxmox servers (more about this another day). All VMs and containers get an unrouted IP address in the 10.x.x.x range and I have a couple of IP ranges for public access, generally but not always behind Haproxy. This doesn\'t seem to be documented properly elsewhere. ## A quick summary: 1. Assign IP range(s) as Virtual IPs 2. Create a One to One NAT between an external IP from a virtual IP range and an internal address 3. Create a WAN rule for the ports you want open to the internal address. ### 1. Assign IP ranges as Virtual IPs Our servers are with OVH and connected by their vRack service, which is remarkably flexible - connected servers can use an unrouted IP network, which is shared between them automatically, and for routed IP addresses, you rent a range (minimum is a /30, for reasons I\'ll explain shortly) and allocate it to the vRack, and in the simplest usage they are allocated to a physical interface on a server and routed to the ranges\' gateway, which is, somewhat counter-intuitively, the second to last address in the range, which is why the smallest range possible is a /30: | Range | CIDR | Gateway | Usable addresses | |-------|------|---------|------------------| | 192.168.10.20 | /30 | 192.168.1.22 | 1 | | 192.168.10.16 | /29 | 192.168.1.22 | 5 | | 192.168.10.16 | /28 | 192.168.1.29 | 12 | For the purposes of this article, I\'ll add a /29 as I have a routed one that\'s about to be reallocated from my account. a) Go to Interfaces > Virtual IPs > Settings b) Press \'+\' c) For the mode in this context, you will use Proxy ARP as IP Alias is for a single IP - the \'Single IP\' option is disabled. d) Select WAN for the interface e) Select \'Network\' for Type f) Enter the network range in the Address field without the CIDR range and select that from the dropdown. You don\'t define a gateway at this point, which also seems a bit counterintuitive but that comes at allocation time. g) Set a description and save. h) Apply changes on the main page. ### 2. Enable Reflection in the Firewall settings UPDATE 19/12/2022: I\'ve been trying to work out why I couldn\'t search other ActivityPub services from my Mastodon instance and found that on my local network at least, I couldn\'t find the address of my blog, so this is the fix for being able to access services internally. a) Go to Firewall > Settings > Advanced b) In the Network Address Translation section, check the Reflection options that you use. I went with all three just to be sure. c) Save. ### 2. Add a One to One NAT a) Go to Firewall > NAT > One-to-One b) Press \'+\' c) For \'Interface\' select \'WAN\' d) For Type selected \'BINAT\' so outbound traffic is rewritten as well e) For \'External network\' select an IP from your allocation and give it the CIDR range /32 f) For \'Source\' select \'Single host or Network\' and enter the IP address of the destination server/VM/container, again with a CIDR range of /32. This is also somewhat non-intuitive at first as the pfSense instructions say the CIDR range should be the same for both addresses and in this case we have a /29 for external traffic and a /22 for internal traffic. g) Set \'Destination\' to \'any\' h) Add a description i) Set NAT reflection to \'Use system default\' or as required. The default is set in Firewall:Settings:Advanced and is Disabled. j) Save k) Apply changes on the main page ### 3. Create firewall rules a) Go to Firewall > Rules > WAN b) Press \'+\' c) Action is \'Pass\' d) Interface is WAN e) Direction is in f) TCP/IP version is generally TCP g) Source is \'any\' h) Destination port range will usually a single port for a protocol such as HTTPS i) Destination is \'Single host or Network\' and the value is the IP address of the backend device with the correct CIDR range for your network, so in this case it\'s 10.10.x.x/22 j) Optionally set a description, but it\'s advisable as it\'s useful for documentation. k) Save l) Apply changes on the main page. Revision 2

This took a few days to work out and I finally found it buried in an Opnsense forum post, so here it is in a slightly easier to find way.

Objective

To forward HTTP(S) traffic to a virtual machine running Nginx (or any other HTTP proxy or load balancer) through a gateway running OPNsense.

Solution

1. Change the Web GUI port

Even if the Web GUI is inaccessible from the public interface of an Opnsense VM, it's still listening on it on both port 80 and port 443, so change the port.
In System > Settings > Administration > Web GUI, assuming you have set the protocol to HTTPS, change TCP Port to something other than 443:
Opnsense Web GUI TCP Port

Press Save and the configuration will reload. You may need to click on the link in the notification bar for it to complete.

2. Create aliases for the HTTP(S) service

This was the bit I didn't get. I was trying to define NAT ports and IPs manually. More about aliases in OPNSense
Assume your internal network is 192.168.1.0/24 and your web server is at 192.168.1.10. The WAN address is the address is the IP address of your gateway.
In Firewall > Aliases > View

  1. Click the plus button to add a new alias.
  2. Enter the following:
    • Enabled: check
    • Type: Hosts
    • Name: Reverse Proxy (or whatever, this is the identifier)
    • Content: 192.168.1.10
    • Statistics (as required)
    • Description: The reverse proxy host
  3. Click Save
  4. Click the plus button to add a new alias again.
  5. Enter the following:
    • Enabled: check
    • Type: Port(s)
    • Name: Reverse Proxy Ports
    • Content: 80, 443 (each port is a separate item)
    • Statistics: (as required)
    • Description: Reverse proxy ports
  6. Click Save and Apply Settings.

3. Create a NAT rule

In Firewall > NAT > Port Forward

  1. Click the Plus button to add a new Port Forward rule
  2. Enter the following:
    • Interface: WAN
    • TCP/IP version: IPv4
    • Protocol: TCP
    • Destination: WAN Address
    • Destination port range: from Reverse Proxy Ports to Reverse Proxy Ports (this will be in the dropdown under Aliases)
    • Redirect Target IP: Reverse Proxy (from the dropdown)
    • Redirect Target Ports: Reverse Proxy Ports (from the dropdown)
    • Pool Options: Default
    • NAT Reflection: Enable
    • Filter rule association: Rule
  3. Click Save and Apply settings.
    This also creates a rule in Filewall > Rules > WAN for the aliases.

If your web server/load balancer VM is up and you at least have a default configuration available, you should get a page.

H/T to huticip in the Opnsense forums.