diff --git a/TODO b/TODO
index 8fe9e70..f79556e 100644
--- a/TODO
+++ b/TODO
@@ -1,4 +1,8 @@
 * Make sure to not run this as root (setuid doesn't work well), so use NET capabilities
+* Allow limiting the hosts that one can connect to use direct-tcpip (right now
+  all hosts are allowed)
+* Allow lifting restrictions on what clients can bind on with forwarded-tcpip
+
 * Check assertions and TODOs.
 * Look if/where we want to set deadlines on open sockets
 * Go through all log.Println calls, and make sure they are unique(?) and
diff --git a/sshd.go b/sshd.go
index 7957d18..d71609f 100644
--- a/sshd.go
+++ b/sshd.go
@@ -206,12 +206,14 @@ func handleDirect(client *sshClient, newChannel ssh.NewChannel) {
 		return
 	}
 
-	// XXX: Is this sensible?
-	if payload.Addr != "localhost" && payload.Addr != "::1" && payload.Addr != "127.0.0.1" {
-		log.Printf("[%s] Tried to connect to prohibited host: %s", client.Name, payload.Addr)
-		newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr"))
-		return
-	}
+	/*
+		// XXX: Is this sensible?
+		if payload.Addr != "localhost" && payload.Addr != "::1" && payload.Addr != "127.0.0.1" {
+			log.Printf("[%s] Tried to connect to prohibited host: %s", client.Name, payload.Addr)
+			newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad addr"))
+			return
+		}
+	*/
 
 	if !portPermitted(payload.Port, client.AllowedLocalPorts) {
 		newChannel.Reject(ssh.Prohibited, fmt.Sprintf("Bad port"))