smb@cs.columbia.edu ("Steven M. Bellovin") writes:

>There are no guarantees about what port numbers are assigned.  Today, on
>one particular reboot, it used the ports I mentioned.  A code change or a
>boot order change could change that, which would silently leave the
>services exposed.

The normal approach with "default is deny" would just reconfigure the
port filters when the service is started and stopped. But with "default
is permit" this opens a window of vulnerability.

-- 
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."