From nobody Tue Oct 17 15:05:51 2023
X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S8y3Q5n82z4xcSS
	for <freebsd-virtualization@mlmmj.nyi.freebsd.org>; Tue, 17 Oct 2023 15:05:54 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S8y3Q15Hmz3dDW
	for <freebsd-virtualization@freebsd.org>; Tue, 17 Oct 2023 15:05:54 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm3 header.b=QxxFQmUG;
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b="l4unrmA/";
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.27 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.nyi.internal (Postfix) with ESMTP id D37945C03C4
	for <freebsd-virtualization@freebsd.org>; Tue, 17 Oct 2023 11:05:53 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
  by compute4.internal (MEProxy); Tue, 17 Oct 2023 11:05:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm3; t=1697555153; x=1697641553; bh=jj
	ClbbHvz3YIZUty+kGsP+eZ2Ab+9HbmOmINTtMB+4s=; b=QxxFQmUGiroszLzryx
	vPVeKc5OZXrW+IZI3RnZvVNm303vfrQvOem7qB6ZcpH96nP+pshbgbnYAFRKC1dj
	z+5yiRgSzs1rjeZ4lIMtVE90vzhIGr4dLaWheA2mPPgu2zdV/B/eE0aZi9L7eqYF
	Fzv+azqdDvtsy1UCIAFr9w8DXeLkXBQ0keACGHDVHNt1KXxA/IsGnmVDm4wzYtN9
	XqZloxQbPS+JDk4nBQI0f7vzY81ihdnBnlQFwr18qeilwrCKwsSZ0GuAu+HWIC5O
	s4KHfvJglFc2/riOJHA8Dh74kZ5Z/6mGhZGmmBpVrAoNyeH7CmL+HERbwTmUpGoN
	EboQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm3; t=1697555153; x=1697641553; bh=jjClbbHvz3YIZ
	Uty+kGsP+eZ2Ab+9HbmOmINTtMB+4s=; b=l4unrmA/OSuaL2y/RRQRrDbVhoFn1
	VdwTd2QykRm6g4mq3wb23kE9xy8CKHbWqQeoNP3TXMNfefzPRXG0XCEFlQO9EfvV
	wX6Re7QNXnYldXJNM21ur9Y3TqGZzbAXUmlyMYctFfmiRXALDt6IseB5PhI7VOdX
	O5wZwHZk6z1TGyMrs+wCkopUMPhkMytXMnpPgMjUJFPqjd/XGzGQbV1JK7n1B+c+
	vZKGaZCx+Uke/LvUbSPUjCzrOpeWmN+lB0tFw+dTTz3mKqBhPYvED85hmhcorOFD
	gR8+ysrXLJ8xGb9HP6cyPpGTjQUc5X5UZ6bJ+8XIzx9WBE4IyKPIHVN+w==
X-ME-Sender: <xms:0aIuZbtGI8Pa2QdBNdU0VHZRUKBo-I8W1IriijiOi8jrgFR2rOilxQ>
    <xme:0aIuZcc7621Xkh4CyfyZieKjia5Fa35F01z9o1XRFx4soh3RKFRaiTrKb5Z8d0ZWP
    iEZikAadVqnKuIQ9g>
X-ME-Received: <xmr:0aIuZeyVscn5-qbyPJ-4JMFtZJwt8JG139EJF2KeHB4UfbirD_YvgzbjyzVk8sUyGs70w7GVc28EhwDbHGdSNoeyCw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrjedvgdekvdcutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
    uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttdertd
    dttddvnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffrrght
    thgvrhhnpedthfehueetjeduffekhfdthfefkeegtddvieetvefgjedtgfeffffhueeile
    dtieenucffohhmrghinhepfhhrvggvsghsugdrohhrghenucevlhhushhtvghrufhiiigv
    pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehvohhiugesfhdqmhdrfhhm
X-ME-Proxy: <xmx:0aIuZaNJwo99O8AhVcFEc123eC0Old3wIEWI8LGa8qTJvWJ48JvRvA>
    <xmx:0aIuZb-QaTyL-6JxAp_j8SCdNhxIAaS4oyWKz8dad8qTEwtLW-iNxQ>
    <xmx:0aIuZaXX-CM5h4vO8qGLtUmN53rEztAIgQphurbiR0zR2tZGx6QWiw>
    <xmx:0aIuZYKA-vFBR-CZ9jymjpVG4t_WGKxhCglsRDVhLLSZEJIj0-CoiQ>
Feedback-ID: i2541463c:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-virtualization@freebsd.org>; Tue,
 17 Oct 2023 11:05:53 -0400 (EDT)
Date: Tue, 17 Oct 2023 16:05:51 +0100
From: void <void@f-m.fm>
To: freebsd-virtualization@freebsd.org
Subject: Re: Running a webserver inside a bhyve host and exposing it to the
 world via PF
Message-ID: <ZS6iz_6vF8RWpOAp@int21h>
Mail-Followup-To: freebsd-virtualization@freebsd.org
References: <CAAdA2WNzTb6Fvk=Z+tAx376mBRztgxY_M75aXBzDFN1bb9yOuQ@mail.gmail.com>
List-Id: Discussion <freebsd-virtualization.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization
List-Help: <mailto:virtualization+help@freebsd.org>
List-Post: <mailto:virtualization@freebsd.org>
List-Subscribe: <mailto:virtualization+subscribe@freebsd.org>
List-Unsubscribe: <mailto:virtualization+unsubscribe@freebsd.org>
Sender: owner-freebsd-virtualization@freebsd.org
X-BeenThere: freebsd-virtualization@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <CAAdA2WNzTb6Fvk=Z+tAx376mBRztgxY_M75aXBzDFN1bb9yOuQ@mail.gmail.com>
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.59 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.994];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	MID_RHS_NOT_FQDN(0.50)[];
	R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27:c];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.27:from];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-virtualization@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	MLMMJ_DEST(0.00)[freebsd-virtualization@freebsd.org];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	MIME_TRACE(0.00)[0:+];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 4S8y3Q15Hmz3dDW

On Tue, Oct 17, 2023 at 05:00:54PM +0300, Odhiambo Washington wrote:
>I am stuck on how I can achieve this.
>I have a Linux VM running under bhyve. I have installed a webserver running
>on port 80 that I'd like to expose to the outside world.
>I am unable to figure out how to achieve this with PF running on the host
>machine.
>
>1. I am able to access my VM using VNC Viewer
>2. My VM is able to access the Internet
>3. I am NOT able to ping my VM from the host
>4. I am unable to SSH into the VM from the host.
>
>My hunch tells me it's about my PF.conf, but is there a guide somewhere on
>achieving the above?

I've been asking a similar question [1]. PF on the host blocks guests because
each guest uses a tap interface which is bridged to the real hardware 
interface.

I thought the only way to differentiate and filter based on these interfaces
is with layer 2. PF is layer-3 only. So it is my understanding that
PF won't work as required/expected on the host. Because, to PF, it's the
same interface. 

Try blocking port 80 on the host and allowing ping.
If you're seeing what I think you're describing, you'll be
able to ping the host and the guest but access port 80 on neither.

I tried looking at IPFW. But IPFW (of which I have next to zero knowledge)
although it understands and can filter layer2, is really layer 2+3.

What I'd like to do is get ipfw to "leave these MAC addresses here 
alone, only process this one further" and I've not found a way to
do that yet, or even if it's possible.

[1] https://lists.freebsd.org/archives/freebsd-net/2023-October/004061.html
--