How far to go with jailing?

illoai at illoai at
Tue Feb 2 02:01:46 UTC 2010

On 1 February 2010 20:57, Jeff Mitchell <skeezix at> wrote:
>        Strikes me that setting up jails for bloody-well-every-other service
> might be 'fun' ..
>        Jail the webserver; seems a logical break, and keep you honest for
> your partitioning. No more ~/public_html to access it I suppose, but much
> mroe secure for when people attack your wordpress etc.
>        Jail the 'email services'; use fetchmail to pull down to the jail,
> and IMAP and POP3 to serve the mail even to local clients; nice clean email
> mini-server right there in the jail?
>        Jail SMB-serving, so if attacked it still can only serve the content
> in the very well defined area.
>        Jail the mailing list (mailman etc) .. keep things nice and clean.
>        But is setting up a whole stack of jails a pain? a performance
> problem? or just un-necessary overkill? Or a good idea?

I don't know about the performance, though given what I
[believe I] know, if your machine is already running those
serv[ice|er]s, the effect ranges from lightly noticeable to
entirely negligible.  You do have to keep track of the jails
(& update when necessary), though I suppose if you can't
write scripts to do the tedious bits you might be in the w
rong business.

I think it's a good idea, frankly.  Lift and separate, as "they"
said in the 1990s.


More information about the freebsd-questions mailing list