PF Randomness Proxies e.g. ftp-proxy Userland, NOT kernel No kernel bloat Security risk of complex code can be contained priviledge revocation/separation, chroot, etc. Redirect connections to the proxy, proxy gets destination from pf