The Cockpit port 1001 should be open by default on a freshly installed Fedora 21 Server, according to the release criteria for Fedora Server.
The component of this may need to be tweaked? Does the default firewall come from anaconda? How does Fedora Server differentiate its firewall?
As an additional note, we may want to change this port to something we can get reserved for Cockpit's use with IANA. This would help us avoid future conflicts. The problem of course is finding an unused-but-memorable port. The other idea that struck me just now would be to make it "Dealer's Choice": set Cockpit up to run on port 80/443 at initial boot and allow users to configure it to a port of their choice after that.
The default firewalld configuration is provided by firewalld, but anaconda is enabling the ssh service in the default zone of firewalld - if it is not enabled already. Additionally anaconda is changing the default zone according to the firewall configuration in kickstart installations. For Cockpit I would suggest to provide a service configuration file for firewalld with the proper port to be able to add it for example at installation time. It would also be possible to provide a special zone with all the needed things added for the use in the server. Or to provide a set of zones for the server that are replacing the upstream zone files. If Cockpit is using port 80 or 443, we can simply use the http and https services that are already available in firewalld.
Just as a note: I'd be more comfortable if the initial report read "according to the Fedora Server product design". The release criteria are a mechanism for doing quality assurance on a product, they are not an aspect of product design.
Upstream Cockpit firewall service definition is here: https://github.com/cockpit-project/cockpit/pull/806
firewalld-0.3.10-3: Added new fedora-server zone with cockpit enabled.
Fixed in rawhide in package firewalld-0.3.10-3 or newer.