Be damned if you filter, be damned if you don't. Nice choice. I think it's time that we set aside a range of port numbers for private use. That makes all those services that have no business escaping out in the open extremely easy to filter, while at the same time not impacting any legitimate users. Services could even be assigned two port numbers: a public one and a private one. So I could use port 80 to access the web, but port 32768 + 80 (or whatever) to manage my ADSL modem over HTTP. Applications would just need a few lines of code to try either the public or the private port first (depending on the type of application and possibly some heuristics) and try the other port when there is a destination port unreachable or administratively prohibited message. (Note that what I mean here has nothing to do with what IANA calls "private" ports.)