# Make jail available to bind only certain ports



## qorg11 (Jun 22, 2022)

I want to create a Jail with a public IP address. But as we have IPv4 address shortage. I want to only make the jail able to bind to a range of ports (say 700 to 750). 

I asked in the IRC and one answer was to use pf to NAT ports from/to the jail.


----------



## SirDice (Jun 22, 2022)

qorg11 said:


> I want to only make the jail able to bind to a range of ports (say 700 to 750).


What's running on that jail? I mean, why all those ports?



qorg11 said:


> I asked in the IRC and one answer was to use pf to NAT ports from/to the jail.


Yes. That's a good way to do this. Bind the jail to lo1 and NAT the incoming traffic.

You could just bind the jail directly to the external IP address. But you obviously cannot bind more than one service to a single port.


----------



## qorg11 (Jun 23, 2022)

> What's running on that jail? I mean, why all those ports?


No particular reason. It's just a "VPS" I give to friends that's actually a jail. So they can use the jail to use some port agnostic services. Such as XMPP, or a Minetest server.

NATing the jail worked. If someone also wants to do this, this is the configuration that worked for me:


```
nat on $ext_if from 127.0.0.0/24 to any -> $SERVER_ADDRESS
rdr on $ext_if proto tcp from any to any port 1700:1720 -> 127.0.0.255
```


----------

