The truly paranoid may elect to use the 2.4 kernels' Netfilter4 facility (adding stateful packet filtering) or a commercial application-level proxy gateway.

CNN: Analysis: Linux security