during ipa-server-install, we observed that we if have a system with has firewall enabled, none of the ports are then opened up. We believe we should automatically change iptables configuration on the ipa-server machine to allow access to these ports.
I don't believe in changing firewall settings from applications. It is not a good security practice (and I hope SELinux would prevent that anyway). At the end of the setup script we warn admins on the ports they need to open (and that is also documented in the docs I bellieve).