Simon Greenwood

A touch of email scam forensics

I deal with a number of clients in the legal profession, and this morning one of them forwarded me an email which he thought was suspicious. It appeared to be sent from a Rob Moore at a company called Progressive Property, and the body of the mail was this:

Good Afternoon,

I hope you are having a good weekend

I am instructed to deal with your firm for the purchase of a property, we are real estate company acting on behalf my clients .

The Executors appointed were her husband (predeceased) and another firm of solicitors who have renounced. The beneficiaries are the children, Tania Beaumont and Catherine Ried. They are applying for the Grant of Probate as residuary beneficiaries and therefore acting as Executors.

Please can you contact them to give a quote. They are happy to keep this probate sale with us.

Let me know when informations you need, they are looking to market the property around £3.25m.

Please can you copy in Tania’s husband into correspondence, his name is Peter Beaumont and he is very helpful.

A couple of GMail addresses and a plausible looking footer, except there was no From: address (not necessary of course, but generally expected), and a footer which included the logo of Progressive Property and the email rob@progresssiveproperty.com, and a legal disclaimer footer of the type that every legal firm has, except again, on a quick search the company it purported to be from didn’t match anything else and the address didn’t match the company at all

Read More…

One to one NAT on OVH vRack with OPNSense

## A quick summary:

  1. Assign IP range(s) as Virtual IPs
  2. Create a One to One NAT between an external IP from a virtual IP range and an internal address
  3. Create a WAN rule for the ports you want open to the internal address.
    ### 1. Assign IP ranges as Virtual IPs
    Our servers are with OVH and connected by their vRack service, which is remarkably flexible - connected servers can use an unrouted IP network, which is shared between them automatically, and for routed IP addresses, you rent a range (minimum is a /30, for reasons I\ll explain shortly) and allocate it to the vRack, and in the simplest usage they are allocated to a physical interface on a server and routed to the ranges\ gateway, which is, somewhat counter-intuitively, the second to last address in the range, which is why the smallest range possible is a /30:
    | Range | CIDR | Gateway | Usable addresses |
    |——-|——|———|——————|
    | 192.168.10.20 | /30 | 192.168.1.22 | 1 |
    | 192.168.10.16 | /29 | 192.168.1.22 | 5 |
    | 192.168.10.16 | /28 | 192.168.1.29 | 12 |
    For the purposes of this article, I\ll add a /29 as I have a routed one that\s about to be reallocated from my account.
    a) Go to Interfaces > Virtual IPs > Settings
    b) Press \+\
    c) For the mode in this context, you will use Proxy ARP as IP Alias is for a single IP - the \Single IP\ option is disabled.
    d) Select WAN for the interface
    e) Select \Network\ for Type
    f) Enter the network range in the Address field without the CIDR range and select that from the dropdown. You don\t define a gateway at this point, which also seems a bit counterintuitive but that comes at allocation time.
    g) Set a description and save.
    h) Apply changes on the main page.
    ### 2. Enable Reflection in the Firewall settings
    UPDATE 19/12/2022: I\ve been trying to work out why I couldn\t search other ActivityPub services from my Mastodon instance and found that on my local network at least, I couldn\t find the address of my blog, so this is the fix for being able to access services internally.
    a) Go to Firewall > Settings > Advanced
    b) In the Network Address Translation section, check the Reflection options that you use. I went with all three just to be sure.
    c) Save.
    ### 2. Add a One to One NAT
    a) Go to Firewall > NAT > One-to-One
    b) Press \+\
    c) For \Interface\ select \WAN\
    d) For Type selected \BINAT\ so outbound traffic is rewritten as well
    e) For \External network\ select an IP from your allocation and give it the CIDR range /32
    f) For \Source\ select \Single host or Network\ and enter the IP address of the destination server/VM/container, again with a CIDR range of /32. This is also somewhat non-intuitive at first as the pfSense instructions say the CIDR range should be the same for both addresses and in this case we have a /29 for external traffic and a /22 for internal traffic.
    g) Set \Destination\ to \any\
    h) Add a description
    i) Set NAT reflection to \Use system default\ or as required. The default is set in Firewall:Settings:Advanced and is Disabled.
    j) Save
    k) Apply changes on the main page
    ### 3. Create firewall rules
    a) Go to Firewall > Rules > WAN
    b) Press \+\
    c) Action is \Pass\
    d) Interface is WAN
    e) Direction is in
    f) TCP/IP version is generally TCP
    g) Source is \any\
    h) Destination port range will usually a single port for a protocol such as HTTPS
    i) Destination is \Single host or Network\ and the value is the IP address of the backend device with the correct CIDR range for your network, so in this case it\s 10.10.x.x/22
    j) Optionally set a description, but it\s advisable as it\s useful for documentation.
    k) Save
    l) Apply changes on the main page.
    Revision 2

HTTPS forwarding in OPNSense

This took a few days to work out and I finally found it buried in an Opnsense forum post, so here it is in a slightly easier to find way.

Objective

To forward HTTP(S) traffic to a virtual machine running Nginx (or any other HTTP proxy or load balancer) through a gateway running OPNsense.

Solution

1. Change the Web GUI port

Even if the Web GUI is inaccessible from the public interface of an Opnsense VM, it’s still listening on it on both port 80 and port 443, so change the port.
In System > Settings > Administration > Web GUI, assuming you have set the protocol to HTTPS, change TCP Port to something other than 443:
Opnsense Web GUI TCP Port

Read More…