Ok now that I've had a decent night's rest and my brain is working here is a somewhat more comprehensive posting. UDP + firewalls and "keeping state". It's sort of a pseudo state, the firewalls remembers udp packets, for example a firewall rule for "keep state, allow udp packets to/from port 53" means an outgoing packet to a dns server results in a small window being opened for the return packet. Of course an attacker can still insert a spoof packet (not hard either, just keep sending spoofed dns responses from well known servers) but that should hopefully be noticed. NTPD and root. There is a modified NTP daemon that used kernel capabilities, one of which is modifying system time, so it can drop root privileges once it binds to port 123, for the life of me I can't remember which vendor ships it though (check http://security-archive.merton.ox.ac.uk/). Kurt