Apple have the right idea... I'd say all the vendors need to take a
carefully balanced approach to security in the default configurations of
their software. Leave services exposed to the network disabled by default,
By all means, configure firewalls by default to block all non-established
incoming connections to low port numbers, but for heaven's sake don't also
block access to those ports from the local subnet as well.