> I generally _really_ like to do security related things in exactly the
> opposite way so that they "fail safely".  I.e. only release the
> restrictions on specific ports, and to only do that via a restricted
> interface.  Assuming it works then IPNAT satisfies my requirements
> exactly, whereas using NOPRIVEPORTS+systrace goes diametrically opposite
> to them.

hmmm...  i was under the impression that ipnat will not map between ports  on 
the same interface.  i've gotten around this by setting services to run only 
on lo0, then ipnat'ing to them.

i wonder how hard it would be to implement a uid<->port mapping that would 
allow for privilaged ports to be released on a per-uid basis.  or would such 
functionality just not be worth it.  thoughts/ideas?

--joe