>I mentioned before that it doesn't really make much sense with web >hosting because the port can easily be changed so it's not very effective
>at all. Stop thinking of policing the user and start thinking of providing a security service. The default setting of the security service might include a block on port 80 inbound, but if the user needs to enable this traffic, give them a web form that they can use to reconfigure their settings. Or, if you can't handle such a variety of individual ACLs on your equipment, give them the option of buying a broadband router with a recommended default config and un-blocked service. If the user has to intervene in order to enable a server type application to function, that makes it a lot harder for trojan exploits to take hold. --Michael Dillon