On Mon, 9 Oct 2006 12:52:53 +0000 (UTC), mlelstv@serpens.de (Michael van
Elst) wrote:

> smb@cs.columbia.edu ("Steven M. Bellovin") writes:
> 
> >There are no guarantees about what port numbers are assigned.  Today, on
> >one particular reboot, it used the ports I mentioned.  A code change or a
> >boot order change could change that, which would silently leave the
> >services exposed.
> 
> The normal approach with "default is deny" would just reconfigure the
> port filters when the service is started and stopped. But with "default
> is permit" this opens a window of vulnerability.
> 
"default deny" what?  All packets addressed to low-numbered ports?  Per a
previous reply, there are some subtle implications to doing that.


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb