Re: Running a webserver inside a bhyve host and exposing it to the world via PF

In reply to: Paul Procacci : "Re: Running a webserver inside a bhyve host and exposing it to the world via PF"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Odhiambo Washington <odhiambo_at_gmail.com>
Date: Wed, 18 Oct 2023 09:35:33 UTC

On Tue, Oct 17, 2023 at 6:03 PM Paul Procacci <pprocacci@gmail.com> wrote:

>
>
> On Tue, Oct 17, 2023 at 10:01 AM Odhiambo Washington <odhiambo@gmail.com>
> wrote:
>
>> I am stuck on how I can achieve this.
>> I have a Linux VM running under bhyve. I have installed a webserver
>> running on port 80 that I'd like to expose to the outside world.
>> I am unable to figure out how to achieve this with PF running on the host
>> machine.
>>
>> 1. I am able to access my VM using VNC Viewer
>> 2. My VM is able to access the Internet
>> 3. I am NOT able to ping my VM from the host
>> 4. I am unable to SSH into the VM from the host.
>>
>> My hunch tells me it's about my PF.conf, but is there a guide somewhere
>> on achieving the above?
>>
>>
>> --
>> Best regards,
>> Odhiambo WASHINGTON,
>> Nairobi,KE
>> +254 7 3200 0004/+254 7 2274 3223
>> "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
>> [How to ask smart questions:
>> http://www.catb.org/~esr/faqs/smart-questions.html]
>>
>
> Care to share what you tried with your PF.conf?
>
> It should be something as simple as:
> rdr on <interface> proto tcp from <source host> to <physical host> port
> <physical port> -> <internal host> port <internal port>
>

Two rules that aren't working:

# VM HTTP
rdr pass on $ext_if inet proto tcp from any to any port { 8081, 8999 } \
        -> 172.16.0.99 port 80
# VM SSH
rdr pass on $ext_if inet proto tcp from any to port { 2222 } \
        -> 172.16.0.99 port 22

I am able to PING the VM from the HOST.

From the host, I am able to SSH to the VM. I am also able to do `telnet
VM_IP 80` successfully.

From the WAN (Internet) when I do `ssh HOST:2222`, I expect to land in the
VM, but that does not happen.

So far I have:

# bhyve
bhyve_net="172.16.0.0/24"

And this NAT rule:
nat on $ext_if from $bhyve_net to any -> ($ext_if)

Do I need another PF rule to deal with the above issue?

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]