From 5d73d954cdec0a507b2d93b9dedd1aef890e3f2a Mon Sep 17 00:00:00 2001
From: Niklas Hambüchen <mail@nh2.me>
Date: Fri, 10 Nov 2023 18:32:46 +0100
Subject: manual: Don't suggest exposing VM port to local network.

The setting

    QEMU_NET_OPTS="hostfwd=tcp::2222-:22"

caused the VM's port 2222 to be advertised on the host as
`0.0.0.0:2222`, thus anybody in the local network of the host
could SSH into the VM.
Instead, port-forward to localhost only.

Use `127.0.0.1` also on the VM side, otherwise connections to
services that, in the VM, bind to `127.0.0.1` only
(doing the safe approach) do not work.

See e.g. https://github.com/NixOS/nixpkgs/issues/100192
for more info why localhost listening is the best default.
---
 nixos/doc/manual/installation/changing-config.chapter.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/doc/manual/installation/changing-config.chapter.md b/nixos/doc/manual/installation/changing-config.chapter.md
index 11b49ccb1f6..f2ffea9088a 100644
--- a/nixos/doc/manual/installation/changing-config.chapter.md
+++ b/nixos/doc/manual/installation/changing-config.chapter.md
@@ -89,7 +89,7 @@ guest. For instance, the following will forward host port 2222 to guest
 port 22 (SSH):
 
 ```ShellSession
-$ QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
+$ QEMU_NET_OPTS="hostfwd=tcp:127.0.0.1:2222-127.0.0.1:22" ./result/bin/run-*-vm
 ```
 
 allowing you to log in via SSH (assuming you have set the appropriate
-- 
cgit 1.4.1