The file I CAN change to affect the firewall:

# cat /etc/sysconfig/system-config-securitylevel
--enabled
--port=8080:tcp
--port=8081:tcp
--port=514:udp
--port=22:tcp
--port=80:tcp
--port=443:tcp

And the one that is USED:

# cat /etc/sysconfig/iptables
...
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
...


Differ.  Firewall configuration is tricky -- and you don't want to leave unknown
services enabled.  I'm concerned that "extra" ports are left enabled in the
default configuration.

I think that system-config-securitylevel should either open exactly the ports in
/etc/sysconfig/system-config-securitylevel, or at least document WHERE the
additional port holes are sourced from.

Documentation in general would help... what's the format of
/etc/sysconfig/system-config-securitylevel ? Can I use it to restrict at
particular port opening to an IP address range?  Or is it limited to what I see?