On Oct 9, 2006, at 7:27 AM, Steven M. Bellovin wrote:
>> The normal approach with "default is deny" would just reconfigure the
>> port filters when the service is started and stopped. But with  
>> "default
>> is permit" this opens a window of vulnerability.
>>
> "default deny" what?  All packets addressed to low-numbered ports?

"default deny" means denying all packets, except those explicitly  
permitted by your security policy.

In many cases, "default deny" results in you permitting 22, 80, 443,  
and maybe DNS & NTP traffic, only.

With regard to NFS and RFC services involving portmap, please  
understand that these services predated the notions of network  
security and firewalls needed today, and that these services are  
basically completely insecure.  It is not prudent or advisable to try  
to combine routing/firewall functionality and filesharing on the same  
machine; if your multihomed system is being used to route or NAT  
traffic, then, if at all possible, you should not configure it to  
operate as a fileserver as well.

-- 
-Chuck