Warning: XXX: Work in progress, please do not FOLLOW not yet completed. This document will describe the setup of jail(8) and how-to configure all applications to work properly within a jail(8). It has the following design criteria/assumptions: * file:/usr/ports is shared throughout all installations (so are all the configuration for the ports then) and every system build all ports himself. * The sample jail is called {{{pzwet}}} and is located in file:/usr/jail/pzwet and has IP {{{178.63.108.109}}} assigned to it. * All services dependencies are within their own jail, so I can start and stop jails without affecting the others. * My sendmail setup has spam filtering --powered by file:mail/spamass-milter-- support for ''incoming'' email only. * I do not list all the dependencies to be installed, but only the 'meta' port services I like to have running on the system. Important: Your jail server should not run ''any'' public facing services which does 'wildcard' binding to IP addresses, else it will 'claim' the service before your jail can take it. Tip: Jails does '''NOT''' have a local loopback device, so you will need to use UNIX sockets on places you would normally use the loopback address. First make sure to install the jail using the [http://www.freebsd.org/doc/handbook/jails.html method in the handbook] {{{ pzwet# cat <> /etc/rc.conf # # Base Services sshd_enable="YES" syslogd_flags="-ss" sendmail_enable="YES" # saving entropy bits is not useful within jails, as your host will do handle this. entropy_dir="NO" # Get some jitter in your cron runs to make sure the does not all run at time same time. # Do NOT use if you rely on having your process to start at 'exact' that time. cron_flags="-J10" # # Port Services spamass_milter_enable="YES" spamass_milter_localflags="-i 178.63.108.109,0.0.0.0 -r -1 -- -U /var/run/spamd.sock" spamd_enable="YES" spamd_flags="--socketpath=/var/run/spamd.sock --nouser-config --username=nobody" EOF }}} pzwet# make -C /usr/ports/security/sudo WITH_INSULTS=yes BATCH=yes install clean pzwet# make -C /usr/ports/devel/subversion WITH_MOD_DAV_SVN=yes APACHE_VERSION=22 BATCH=yes install clean pzwet# make -C /usr/ports/ports-mgmt/portaudit BATCH=yes install clean; /usr/local/sbin/portaudit -Fda pzwet# make -C /usr/ports/editors/vim-lite BATCH=yes install clean pzwet# make -C /usr/ports/mail/spamass-milter BATCH=yes install clean pzwet# make -C /usr/ports/sysutils/screen BATCH=yes install clean Update port INDEX tree and report on pending upgrades every Saturday: pzwet# echo '0 3 * * sat root /usr/sbin/portsnap -I cron update && /usr/sbin/pkg_version -vIL=' >> /etc/crontab