I once worked for a company where to get an outbound telnet connection or to put a file with ftp, you needed to go through a gateway which required us to use a hardware device to participate in a challenge/response authentication scheme. While this may be extreme, it points out a use of firewalls people seem to be ignoring in this descussion: enforcing policy. Most employees will have physical access to the network, and physical access (=root privileges) to their workstations. If you want to enforce a policy of "no http servers, ftp servers, or anything else", you can't allow any incoming Syn packets. If you don't want to trust every single person to configure his/her workstation to reject Syn packets from outside, you need to do the filtering where most people can't bypass it. Now replace Syn above with whatever TCP/IPv6 uses, and the same will hold. That said, I hate firewalls. I find being behind a firewall incredibly painful. I hope firewalls do die with IPv6. David