Brian,

>  but would I gain anything by running proftpd tunnelled through ssh?

If you think that proftpd is any better/more secure, then perhaps yes. 
However, tunnelling through SSH makes it a real pain in the arse for 
your users. sftp acts just like ftp except that it has a different 
name., Most users aren't aware of any difference.

If you're worried about the stability/security of the FTP server, 
consider vsftpd. Small, fast, very secure, and con can configure all 
kinds of stuff like chrooting incoming users, etc.

> - every couple minutes or so, one of the ISPs DNS servers opens a port 
> 53 to my server, what's up with that?

TCP or UDP? Are you sure that the connection is incoming and not outgoing?

>  I'm running with a static IP behind a firewall, I don't have named 
> running, I'm just using a hosts file.

If you have a DNS server set up (like from your ISP), then you're using 
DNS despite your hosts file. You're just not *serving* a DNS server.

> - I'd like to try putting X11 on, but I can't find any BSD-specific X11 
> base.  Will the .tar files from X11.org compile readily?  They say the 
> MIPS.cf hasn't been tested for "a while" and might need work.

I've heard of others running X on these little guys. Does anyone have a 
good reason other than to be able to say "hey! that little thing over 
there is running X, baby!". Just seems like a waste of what little 
processing power these things have.

> - any comments on using snort or tripwire?   How many people here use 
> these?

I know a bunch of people who use tripwire. I probably should be.

-chris