+.OS "Socket options"
+.B socket.inet.dest.priv-port
+.RB [=]
+.BR yes | no
+.OD
+Make a privileged connection (i.e., from a low-numbered port) to the
+target. This only works if
+.B fw
+was started with root privileges. However, it still works if
+.B fw
+has
+.I dropped
+privileges after initialization (the
+.B \-s
+option). Before dropping privileges,
+.B fw
+forks off a separate process which continues to run with root
+privileges, and on demand passes sockets bound to privileged ports and
+connected to the appropriate peer back to the main program. The
+privileged child only passes back sockets connected to peer addresses
+named in the configuration; even if the
+.B fw
+process is compromised, it can't make privileged connections to other
+addresses. Note that because of this privilege separation, it's also
+not possible to reconfigure
+.B fw
+to make privileged connections to different peer addresses later. by
+changing configuration files and sending the daemon a
+.BR SIGHUP .
+.OE