Here is an idea for an interesting little project: Imagine a firewall where all the external interfaces are confined in a jail which has no IP-connectivity to the rest of the machine. Start OpenVPN outside the jail, have it setup a two-way pipe and fork a childprocess, which attaches to the jail and performs out all public-side socket operations inside the jail, passing only the raw encrypted packets over the pipe. Tada: Nothing in the jail can be hacked... Only problem is: OpenVPN doesn't know this trick. But how hard could that be ? Somebody[tm] should do that... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.