In this case, access is denied by default. Only explicitly authorized hosts are permitted access.
The default policy (no access) is implemented with a single, trivial deny file:
This filter denies all service to all clients that have not been explicitly granted access by an Allow filter. The Allow filters, then, might be something like these:
ALL: LOCAL @netgroup1 ALL: .siroe.com EXCEPT externalserver.siroe.com
The first rule permits access from all hosts in the local domain (that is, all hosts with no dot in their host name) and from members of the group netgroup1. The second rule uses a leading-dot wildcard pattern to permit access from all hosts in the siroe.com domain, with the exception of the host externalserver.siroe.com.