Yeah, I think whatever was implemented would have to be an imperfect solution -- you'd basically just connect to local users whenever your were able to. The firewalled address issue can be overcome, however. We can automagically report the user's "true" address in the connection headers based on what everyone else is connecting to you through with an extension that we're working out the details of right now.