Another possibility is to use NAT to re-map the response on the way out... once again, if anyone gets this working, please post how you did it.
I don't know if this is quite you're looking for, but I had no trouble using Linux "ipmasqadm portfwd" to open port 123 for tcp and udp on my firewall. I'm going from a public IP address to a private namespace and that seems to work (or at least, my friend testing on the outside is able to get time from me).
John [EMAIL PROTECTED]
