> Do you think you could elaborate on this just a bit? In
> particular, assuming that there is a desire to relay IRC through a
> firewall (and without arguing the validity of that desire, for the moment
> at least), is there any approach that could be taken to reduce this risk,
> short of just not allowing it at all?
First of all, DCC can be from any port to any port. It's a point-to-point
connection between clients bypassing the IRC network completely, so you'd
have to write a proxy that grokked the protocol and pretended to be the
client, like the FTP proxies do, and ran on the firewall... or open up a
huge range of ports.
Second, it's way open to "social engineering" attacks. That's as big a
problem as the technical one.