* use fr_tcpstate() with NAT code for increased NAT usage security or even
  fr_checkstate() - suspect this is not possible.

* see if the Solaris2 and dynamic plumb/unplumb problem is solvable

time permitting:

* load balancing across interfaces

* record buffering for TCP/UDP

* modular application proxying
on the way

* invesitgate making logging better

* add reverse nat (similar to rdr) to map addresses going in both directions
  (this might just be some changes to rdr).  In 1:1 relationships maybe make
  it an option.
done ?

* keep fragment information for NAT/state entries automatically.
done

* support traceroute through the firewall
  (i.e. fix up ICMP errors coming back for NAT)
