During installation, I selected customized firewall security and explicitly
allowed telnet, ftp, and ssh.  (This is my home network which is behind a
firewall.  I figured that would be good enough as my real firewall accepts
only ssh...)  The result was the following /etc/sysconfig/ipchains:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 10.160.59.1 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 -p udp -j DENY

With this configuration, a few things didn't work that should have
including kinit and nfs mounts.  (Neither nfs client nor server worked.)

It seems that rejecting all udp packets coming into the input chain is too
strict for most purposes.  If someone is going to mount file systems via
nfs, this is too tight.  Anyway, I'm very glad to see that the default
RedHat install is too tight rather than too loose.  This is the right way
to err.  However, maybe some refinement is still in order before the real
release, or at least being a little louder during installation about how to
deal with the kinds of problems that will likely occur.