I have a current network that sits behind a smart firewall. Expensive to own but well worth the money. I am adding another location just for dedicated servers where I won't be behind a firewall. I prefer to load Virtuozzo as a buffer between the world and the server. For example, if a hacker gets in and issues a crond -r and empties the cron that runs an app looking for a hack I'm vulnerable. But if I run it from the HN as a superuser (/vz/private/110/var/spool/crond...) they can't get to it. Sneaky, I know. I am actually preconfigured for certain BOTS being uploaded to /tmp and I check each minute for their presence. At any rate, I won't have a hardware firewall at that location for some time. Non-contiguous IPs and no NATing. This means that I'll need to install CFS or Firewalld for the customer. I'll be installing Plesk as well. As I understand it if I run CFS or Firewalld on the HN it 'should' globally block the individual container(s). Is this correct? Should I load CFS/firewalld in each container following the commands for doing this? Which is a better choice? CFS, Firewalld, Plesk's own use of iptables and APF/BFD? I realize Baath this is Virtuozzo being supported here. I am asking instead of experimenting because I won't have the ability to experiment at a remote location 2500 miles away. Those that have already learned this I would be grateful to.