Most decent operating systems have a feature called "chroot", where you can force an application (including command shells) to remain in a specific portion of the file system. This can be a helpful security feature in many situations.
FreeBSD goes one step further, and offers the "jail" feature. Not only does jail restrict the process (and its children) to a specific part of the filesystem, but it also places further restrictions on the process. For instance, a process in a jail is assigned one single IP address, and the process cannot change that or bind to any other addresses. A process in a jail cannot see outside processes, so a jailed shell will only see processes in that jail. A jailed process can only access the devices set up in its own /dev directory, and cannot create new devices.
Here is an interesting article on the FreeBSD jail system.
One very nice trick that you can do is to create a virtual system within a jail, complete with its own user accounts and secure shell. Assign a unique IP address and file heirarchy to each one, and the jails won't even be aware of each other. The jails are protected from each other, even if jailed users have root privileges.
The main problem I had with setting up jails is knowing which files to copy, which aren't needed, and which need to be modified. So I eventually created a simple script to do this for me. This one copies the development tools, which is especially handy if you want to compile and try out new software in a safe environment. You can probably get the jail size under a hundred megs if you modify the script to only copy the minimum files.
Here is my mkjail script. To use it, change your current directory to where you want to place the new jail directory heirarchy, and give mkjail the name of the new jail directory. You must be root in order to preserve the file ownership and permissions, and to allow the script to create the custom device entries for your new jail. Please look over every line in this script to satisfy yourself first :-)
Let's assume that your new jail directory is /usr/jails/jail_01 and that
you wish to assign it 192.168.100.1 and the hostname "host_01".
To run your new jailed virtual environment, you can use the command
/usr/sbin/jail /usr/jails/jail_01 host_01 192.168.100.1 /bin/sh /etc/rc
It will start up almost like a brand new operating system, and start
running its own daemeons. I assume that sshd will be running, and you
can see in my script where this is written to /etc/rc.conf Now you can
ssh into your new jail with "ssh 192.168.100.1", and build your servers,
add users if you wish. You should probably use vipw to fix up the user
accounts on your new jail.
Where do you go from here? How should I know that? Have fun!