Bot? / pf question

Adam Vande More amvandemore at
Wed Jan 5 20:05:20 UTC 2011

On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering <mark at> wrote:

> That's an excellent point. A span port from the upstream switch/router
> Since I am going to be setting up a mail server sometime next week and have
> to keep things like this in mind;
> would it make sense to run pf and block all outbound traffic that isn't on
> port 25 ( port 995 , etc)  and force any web administration programs onto a
> port other than 80 to help with this sort of thing?  Any other thoughts on
> how to make sure future installations can be kept secure?
> As always, thanks in advance to everyone,

That a great example of when jails should be used,  I put each service into
it's own jail eg MTA, FTP, www.  Actually I use something like pound then
put each different website in it's own jail.  Make sure each database backed
service has separate login/passwords.  Then if something like phplist, or an
MTA is compromised the host OS and utilities can still be trusted, in theory
at least.

Also a managed port can help you deal with issues by tracking stat
metrics/port mirroring/etc.

You can use something ezjail to make administration tasks easier, and if you
isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities.
There are a couple of utilities in ports to help automate snapshots too.

Adam Vande More

More information about the freebsd-questions mailing list