We should most likely be including the iptables-services rpm which start iptables up on system boot and restores rules that represent a "sane default".
It has been my experience in the past that the firewall has been configured.. Not sure when the default configuration got moved into a separate rpm but we should restore it. It is easy to configure and poke holes in the firewall (via cloud-init) or some other mechanism so this shouldn't be too big of a deal.
Last time this came up, there was rather strong feedback that the default should be open, and cloud images should rely on the cloud infrastructure's own security features -- security groups or similar.
Agreed, the target use cases (GCE, EC2, OpenStack, whatever) all have network security external to the instance. Anyone who needs the firewall active can, as you said, use cloud-init or chef/puppet/ansible/salt.
For casual cloud users, having an instance firewall deny them after they've set up security groups to allow the traffic would probably be confusing if they assume security groups "are" the firewall.
Going to close this ticket, as everything seems to be working as expected - no firewall on or configured by default.
to comment on this ticket.