The file /etc/sysconfig/iptables sets up the rules for firewalls.
According to the file, it is generated by the program
"system-config-securitylevel"

When I set up my laptop with the GUI, the only incoming service I
intended to open was ssh (which is configured with keys for security). 
However, when I look at the iptables file I see some extra ACCEPT lines:

  -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
  -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

Those services are:
  50   = remote mail checking protocol
  51   = IMP Logical Address Maintenance
  5353 = Multicast DNS (used by zeroconf)
  631  = Internet Printing Protocol and Cups

The last two work with printer configuration, I don't know why the
first two are opened.  I commented out the ACCEPT lines, and things
still work fine (so far).  I assume this will bollix up some printer
autodiscovery features, but I don't want or need those.  I am far more
worried about those ports being used for future hostile exploits.

I imagine the next time I fiddle with the GUI configuration on my SL4.4
laptop these lines will get uncommented.  The silent opening of ports is
a bug, IMHO.  What is the best way to fix the system-config-securitylevel
program to either ask explicitly or not turn on these ports?  Should this
be considered a security flaw in SL4.4 ?

Keith

PS:  In related behavior, the cups server on my laptop used to
broadcast its printers.  I turned that off with "BrowseInterval 0" in
/etc/cups/cupsd.conf.  I want cups to service only internal requests,
and do not need to broadcast availability to the world.  Zeroconf
printing is a wonderful thing sometimes, but not on roaming laptops!

-- 
Keith Lofstrom          [log in to unmask]         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs