I agree that being behind someone else's firewall is a problem as the
user may not understand the implications of this and thus advertise an
impossible exit policy.
Suggestion for the coders .. make the client test itself and adjust the
exit policy on the fly.