> Of course it can be done at the firewall- this is generally what a firewall > does- but this has drawbacks too as I mentioned....
Exactly.... That's the job of a firewall Can you explain these "drawbacks" of using the firewall to do this....? From a performance/security viewpoint it's a very bad idea to let this get handled at application level. On Linux one has netfilter which does its job and does it good and is properly tested and can be enhanced using extra modules.
