date:20231017

Re: Running a webserver inside a bhyve host and exposing it to the world via PF

2023-10-17 Thread void


On Tue, Oct 17, 2023 at 05:00:54PM +0300, Odhiambo Washington wrote:

I am stuck on how I can achieve this.
I have a Linux VM running under bhyve. I have installed a webserver running
on port 80 that I'd like to expose to the outside world.
I am unable to figure out how to achieve this with PF running on the host
machine.

1. I am able to access my VM using VNC Viewer
2. My VM is able to access the Internet
3. I am NOT able to ping my VM from the host
4. I am unable to SSH into the VM from the host.

My hunch tells me it's about my PF.conf, but is there a guide somewhere on
achieving the above?


I've been asking a similar question [1]. PF on the host blocks guests because
each guest uses a tap interface which is bridged to the real hardware 
interface.


I thought the only way to differentiate and filter based on these interfaces
is with layer 2. PF is layer-3 only. So it is my understanding that
PF won't work as required/expected on the host. Because, to PF, it's the
same interface. 


Try blocking port 80 on the host and allowing ping.
If you're seeing what I think you're describing, you'll be
able to ping the host and the guest but access port 80 on neither.

I tried looking at IPFW. But IPFW (of which I have next to zero knowledge)
although it understands and can filter layer2, is really layer 2+3.

What I'd like to do is get ipfw to "leave these MAC addresses here 
alone, only process this one further" and I've not found a way to

do that yet, or even if it's possible.

[1] https://lists.freebsd.org/archives/freebsd-net/2023-October/004061.html
--

[Bug 273557] Regression preventing bhyve from running inside a jail without IP after f74147e26999838e03a522bf59ea33bef470d356) breaks support for jailing bhyve with IPv4 and IPv6 disabled. Patch inclu

2023-10-17 Thread bugzilla-noreply

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273557

--- Comment #18 from commit-h...@freebsd.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=fd8b9c73a5a63a7aa438a73951d7a535b4f25d9a

commit fd8b9c73a5a63a7aa438a73951d7a535b4f25d9a
Author: Jan Bramkamp 
AuthorDate: 2023-09-04 08:38:25 +
Commit: Mark Johnston 
CommitDate: 2023-10-17 15:24:11 +

bhyve: Use VMIO_SIOCSIFFLAGS instead of SIOCGIFFLAGS

Creating an IP socket to invoke the SIOCGIFFLAGS ioctl on is the only
thing preventing bhyve from working inside a bhyve jail with IPv4 and
IPv6 disabled restricting the jailed bhyve process to only access the
host network via a tap/vmnet device node.

PR: 273557
Fixes:  56be282bc999 ("bhyve: net_backends, automatically IFF_UP
tap devices")
Reviewed by:markj
MFC after:  1 week

 usr.sbin/bhyve/net_backends.c | 52 ---
 1 file changed, 4 insertions(+), 48 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 273557] Regression preventing bhyve from running inside a jail without IP after f74147e26999838e03a522bf59ea33bef470d356) breaks support for jailing bhyve with IPv4 and IPv6 disabled. Patch inclu

2023-10-17 Thread bugzilla-noreply

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273557

Ed Maste  changed:

   What|Removed |Added

 Blocks||271607


Referenced Bugs:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271607
[Bug 271607] 14.0-RELEASE metabug
-- 
You are receiving this mail because:
You are the assignee for the bug.

Re: Running a webserver inside a bhyve host and exposing it to the world via PF

2023-10-17 Thread Patrick M. Hausen

Hi all,

> Am 17.10.2023 um 17:05 schrieb void :
> I thought the only way to differentiate and filter based on these interfaces
> is with layer 2. PF is layer-3 only. So it is my understanding that
> PF won't work as required/expected on the host. Because, to PF, it's the
> same interface.

You can always create a bridge interface without a physical interface as member,
place an IP address on that on the host and use that one as a default gateway
for all your VMs and/or jails.

You need to enable forwarding for the host and route that subnet within your
infrastructure, but then you can filter incoming connections just fine and if 
you
run a lot of VMs or jails on dozens of hosts they do not end up all in the same
broadcast domain.

Also even with your setup filtering should be possible. I recommend you look at 
these
two tunables:

net.link.bridge.pfil_bridge=1
net.link.bridge.pfil_member=0

HTH,
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Sophienstr. 187
76185 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
i...@punkt.de

AG Mannheim 108285
Geschäftsführer: Daniel Lienert, Fabian Stein

Re: Running a webserver inside a bhyve host and exposing it to the world via PF

[Bug 273557] Regression preventing bhyve from running inside a jail without IP after f74147e26999838e03a522bf59ea33bef470d356) breaks support for jailing bhyve with IPv4 and IPv6 disabled. Patch inclu

[Bug 273557] Regression preventing bhyve from running inside a jail without IP after f74147e26999838e03a522bf59ea33bef470d356) breaks support for jailing bhyve with IPv4 and IPv6 disabled. Patch inclu

Re: Running a webserver inside a bhyve host and exposing it to the world via PF

4 matches

Site Navigation

Mail list logo

Footer information