The following is from a white paper by Craig Rowland....all credit due author. The TCP/IP protocol suite has a number of weaknesses that allow an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets ...The implications of these methods depend on the purposes they are being used for. Immediate use could allow for an encrypted and concealed communication channel between hosts located in countries that may frown upon the use of cryptography (snipped). Additional purposes could be served in the areas of data smuggling and anonymous communication. Protection from these techniques include the use of an application proxy firewall system which is not allowing packets from logically separated networks to pass directly to each other. I know of no other firewall type that can guarantee this. A packet-filter "firewall" MAY stop the traffic depending if true network address translation is used (re-writing of the ENTIRE TCP/IP header information), which is often not the case despite what advertisers may say. Additionally, if you are bouncing the packets off a remote site with a listening port, the return packet will have a SYN/ACK combination set in the header and will look like an "established" connection to the packet filter. This has the potential to punch through many of these filters, even some that claim to be "stateful". A straight packet filter in the form of a router will probably offer little or no protection, especially if you allow any "establishedi" traffic back in from any site, which is almost a certainty. Detection of these techniques can be difficult, especially if the information being passed in the packet data is encrypted with a good software package (PGP and others). Particularly, hosts receiving a server bounced packet will have a difficult time determining from where the packet originated unless they can put a sniffer on the inbound side of the bounced server, which will still only reveal that a forged packet originated from somewhere on the Internet. Methods to track down the packet can still be used at this point however, so caution should be used (assuming anyone notices it occurring). its not possible for me to post a link here due to the nature of the information it would provide. those who are awear of this exploit will understand......please notice the mentioning of an application firewall being the best means of preventing\defending against this exploit......although I use an application firewall...I find it rather difficult to accept that a properly config rule based firewall would not defend against this exploit............please also notice that encrytion enhances the exploit.......... personally I can't offer very much imput on this subject...its above me at this time....however, it would be for interesting discussion if others would care to do so...I certainly would be interested in the subject matter. snowman Please note this this is not an issue of which is the best firewall...application or rule based.....the intent should be aimed at prevention of the exploit...thank you.