From owner-freebsd-questions@FreeBSD.ORG  Tue Feb  2 01:49:04 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7C51F106568D
	for <freebsd-questions@freebsd.org>;
	Tue,  2 Feb 2010 01:49:04 +0000 (UTC)
	(envelope-from skeezix@skeleton.org)
Received: from mail1.dm.egate.net (mail1.dm.egate.net [216.235.1.135])
	by mx1.freebsd.org (Postfix) with ESMTP id 43E7E8FC1C
	for <freebsd-questions@freebsd.org>;
	Tue,  2 Feb 2010 01:49:03 +0000 (UTC)
Received: from fw.skeleton.org (h216-235-8-78.host.egate.net [216.235.8.78])
	by mail1.dm.egate.net (8.13.8/8.13.8) with ESMTP id o121oCYf003940
	for <freebsd-questions@freebsd.org>;
	Mon, 1 Feb 2010 20:50:12 -0500 (EST)
Received: from fw.skeleton.org (fw.skeleton.org [127.0.0.1])
	by fw.skeleton.org (8.13.3/8.13.3) with ESMTP id o121vDYQ099474
	for <freebsd-questions@freebsd.org>;
	Mon, 1 Feb 2010 20:57:13 -0500 (EST)
	(envelope-from skeezix@skeleton.org)
Received: from localhost (skeezix@localhost)
	by fw.skeleton.org (8.13.3/8.13.3/Submit) with ESMTP id o121vDwt099471
	for <freebsd-questions@freebsd.org>;
	Mon, 1 Feb 2010 20:57:13 -0500 (EST)
	(envelope-from skeezix@skeleton.org)
X-Authentication-Warning: fw.skeleton.org: skeezix owned process doing -bs
Date: Mon, 1 Feb 2010 20:57:13 -0500 (EST)
From: Jeff Mitchell <skeezix@skeleton.org>
To: freebsd-questions@freebsd.org
Message-ID: <20100201205427.T36480@fw.skeleton.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: How far to go with jailing?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2010 01:49:04 -0000


 	Strikes me that setting up jails for bloody-well-every-other 
service might be 'fun' ..

 	Jail the webserver; seems a logical break, and keep you honest for 
your partitioning. No more ~/public_html to access it I suppose, but much 
mroe secure for when people attack your wordpress etc.

 	Jail the 'email services'; use fetchmail to pull down to the jail, 
and IMAP and POP3 to serve the mail even to local clients; nice clean 
email mini-server right there in the jail?

 	Jail SMB-serving, so if attacked it still can only serve the 
content in the very well defined area.

 	Jail the mailing list (mailman etc) .. keep things nice and clean.

 	But is setting up a whole stack of jails a pain? a performance 
problem? or just un-necessary overkill? Or a good idea?

 		jeff

--
If everyone would put barbecue sauce on their food, there would be no war.