Date: Wed, 18 Oct 2023 12:35:33 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: freebsd-virtualization@freebsd.org Cc: Paul Procacci <pprocacci@gmail.com> Subject: Re: Running a webserver inside a bhyve host and exposing it to the world via PF Message-ID: <CAAdA2WNCqxpnHPxmdpvc7ECvUvZbp1YaDsNTTgYPxhaM_2nHRw@mail.gmail.com> In-Reply-To: <CAFbbPuiRLC0F93JMybdk2sFzJ2X_o5JqkQo3trd91LoZeusXqA@mail.gmail.com> References: <CAAdA2WNzTb6Fvk=Z%2BtAx376mBRztgxY_M75aXBzDFN1bb9yOuQ@mail.gmail.com> <CAFbbPuiRLC0F93JMybdk2sFzJ2X_o5JqkQo3trd91LoZeusXqA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tue, Oct 17, 2023 at 6:03 PM Paul Procacci <pprocacci@gmail.com> wrote: > > > On Tue, Oct 17, 2023 at 10:01 AM Odhiambo Washington <odhiambo@gmail.com> > wrote: > >> I am stuck on how I can achieve this. >> I have a Linux VM running under bhyve. I have installed a webserver >> running on port 80 that I'd like to expose to the outside world. >> I am unable to figure out how to achieve this with PF running on the host >> machine. >> >> 1. I am able to access my VM using VNC Viewer >> 2. My VM is able to access the Internet >> 3. I am NOT able to ping my VM from the host >> 4. I am unable to SSH into the VM from the host. >> >> My hunch tells me it's about my PF.conf, but is there a guide somewhere >> on achieving the above? >> >> >> -- >> Best regards, >> Odhiambo WASHINGTON, >> Nairobi,KE >> +254 7 3200 0004/+254 7 2274 3223 >> "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) >> [How to ask smart questions: >> http://www.catb.org/~esr/faqs/smart-questions.html] >> > > Care to share what you tried with your PF.conf? > > It should be something as simple as: > rdr on <interface> proto tcp from <source host> to <physical host> port > <physical port> -> <internal host> port <internal port> > Two rules that aren't working: # VM HTTP rdr pass on $ext_if inet proto tcp from any to any port { 8081, 8999 } \ -> 172.16.0.99 port 80 # VM SSH rdr pass on $ext_if inet proto tcp from any to port { 2222 } \ -> 172.16.0.99 port 22 I am able to PING the VM from the HOST. >From the host, I am able to SSH to the VM. I am also able to do `telnet VM_IP 80` successfully. >From the WAN (Internet) when I do `ssh HOST:2222`, I expect to land in the VM, but that does not happen. So far I have: # bhyve bhyve_net="172.16.0.0/24" And this NAT rule: nat on $ext_if from $bhyve_net to any -> ($ext_if) Do I need another PF rule to deal with the above issue? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html] [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 17, 2023 at 6:03 PM Paul Procacci <<a href="mailto:pprocacci@gmail.com">pprocacci@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 17, 2023 at 10:01 AM Odhiambo Washington <<a href="mailto:odhiambo@gmail.com" target="_blank">odhiambo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I am stuck on how I can achieve this.<div>I have a Linux VM running under bhyve. I have installed a webserver running on port 80 that I'd like to expose to the outside world.</div><div>I am unable to figure out how to achieve this with PF running on the host machine.</div><div><br></div><div>1. I am able to access my VM using VNC Viewer</div><div>2. My VM is able to access the Internet</div><div>3. I am NOT able to ping my VM from the host</div><div>4. I am unable to SSH into the VM from the host. </div><div><br></div><div>My hunch tells me it's about my PF.conf, but is there a guide somewhere on achieving the above?</div><div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">", </span><span style="font-size:12.8px">egrep -v '^$|^.*#' </span><span style="background-color:rgb(34,34,34);color:rgb(238,238,238);font-family:"Lucida Console",Consolas,"Courier New",monospace;font-size:13.6px">¯\_(ツ)_/¯</span><span style="font-size:12.8px"> :-)</span></div><div><span style="font-size:12.8px">[How to ask smart questions: </span><span style="font-size:12.8px"><a href="http://www.catb.org/~esr/faqs/smart-questions.html" target="_blank">http://www.catb.org/~esr/faqs/smart-questions.html</a>]</span></div></div></div></div></div></div>; </blockquote></div><br clear="all"></div><div>Care to share what you tried with your PF.conf?</div><div><br>It should be something as simple as:<br>rdr on <interface> proto tcp from <source host> to <physical host> port <physical port> -> <internal host> port <internal port><br></div></div></blockquote><div><br></div><div>Two rules that aren't working:</div><div><br></div># VM HTTP<br>rdr pass on $ext_if inet proto tcp from any to any port { 8081, 8999 } \<br> -> 172.16.0.99 port 80<br># VM SSH<br>rdr pass on $ext_if inet proto tcp from any to port { 2222 } \<br><div> -> 172.16.0.99 port 22</div><div> </div><div></div></div><div>I am able to PING the VM from the HOST.</div><div><br></div>From the host, I am able to SSH to the VM. I am also able to do `telnet VM_IP 80` successfully.<div><br></div><div>From the WAN (Internet) when I do `ssh HOST:2222`, I expect to land in the VM, but that does not happen.</div><div><br></div><div>So far I have:<br></div><div><br></div><div># bhyve<br>bhyve_net="<a href="http://172.16.0.0/24">172.16.0.0/24</a>"<br></div><div><br></div><div>And this NAT rule:</div><div>nat on $ext_if from $bhyve_net to any -> ($ext_if)<br></div><div><br></div><div>Do I need another PF rule to deal with the above issue?</div><div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">", </span><span style="font-size:12.8px">egrep -v '^$|^.*#' </span><span style="background-color:rgb(34,34,34);color:rgb(238,238,238);font-family:"Lucida Console",Consolas,"Courier New",monospace;font-size:13.6px">¯\_(ツ)_/¯</span><span style="font-size:12.8px"> :-)</span></div><div><span style="font-size:12.8px">[How to ask smart questions: </span><span style="font-size:12.8px"><a href="http://www.catb.org/~esr/faqs/smart-questions.html" target="_blank">http://www.catb.org/~esr/faqs/smart-questions.html</a>]</span></div></div></div></div></div></div>;help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WNCqxpnHPxmdpvc7ECvUvZbp1YaDsNTTgYPxhaM_2nHRw>