Re: Running a webserver inside a bhyve host and exposing it to the world via PF

On Tue, Oct 17, 2023 at 05:00:54PM +0300, Odhiambo Washington wrote:
>I am stuck on how I can achieve this.
>I have a Linux VM running under bhyve. I have installed a webserver running
>on port 80 that I'd like to expose to the outside world.
>I am unable to figure out how to achieve this with PF running on the host
>machine.
>
>1. I am able to access my VM using VNC Viewer
>2. My VM is able to access the Internet
>3. I am NOT able to ping my VM from the host
>4. I am unable to SSH into the VM from the host.
>
>My hunch tells me it's about my PF.conf, but is there a guide somewhere on
>achieving the above?

I've been asking a similar question [1]. PF on the host blocks guests because
each guest uses a tap interface which is bridged to the real hardware 
interface.

I thought the only way to differentiate and filter based on these interfaces
is with layer 2. PF is layer-3 only. So it is my understanding that
PF won't work as required/expected on the host. Because, to PF, it's the
same interface. 

Try blocking port 80 on the host and allowing ping.
If you're seeing what I think you're describing, you'll be
able to ping the host and the guest but access port 80 on neither.

I tried looking at IPFW. But IPFW (of which I have next to zero knowledge)
although it understands and can filter layer2, is really layer 2+3.

What I'd like to do is get ipfw to "leave these MAC addresses here 
alone, only process this one further" and I've not found a way to
do that yet, or even if it's possible.

[1] https://lists.freebsd.org/archives/freebsd-net/2023-October/004061.html
--