maybe someone has solution?

What follows are some theoretical ramblings on the subject.

Grass always seems greener on the other side. It seems like virtualizing everything is a safer way to go, but on my recent memory there have been two serious hypervisor breakout vulnerabilities.

In the cloud space, these days, lightweight Docker containers are all the rage. This is a technology that is loosely based on FreeBSD Jails. Perhaps, if pfSense packages were running inside the jails it would help to thwart some of the security risks; by stopping heap memory corruption attacks from affecting the whole system, for example.

Ok. Thank you for reading. I am off to build a rack of servers. See you later.  :)

MTA with spam filtering tacked on are huge, complex, beasts that have a history of security issues, and they are less suited to being at the perimeter of the network. You can route mail wherever you want, so route it to a dedicated mail filtering VM/appliance if you must. It doesn't have to be at the edge like an IDS.

DNS services are less clear. A caching resolver for clients is good, but a public authoritative server is not.

So basically, anything you can run elsewhere, should be run elsewhere, if you have a choice.

And just because we have a package for something doesn't always mean it's a good idea to run it on an edge firewall. Classic security vs convenience trade-off.

We recommend not running an MTA on the firewall.  ;D

What is the logic behind the recommendation? If a bunch of spam can be cut down right at the perimeter, why not?

What else do you not recommend running on the firewall: IDS/IPS, DNS?