Fedora does very well compared to other systems in this.
"After the first reboot, the network card came on-line for a final stage
of installation configurations. Fedora's installer prompted for security
configurations on the firewall whereupon ports were opened for FTP,
Mail, NFS, SSH, Samba, HTTPS, telnet and HTTP. No changes were made to
the default SELinux policies.72 Nmap could not identify the operating
system, guessing incorrectly Sun Solaris 10. Unlike other Nmap scans
which took only seconds, this scan lasted for 26 minutes and resulted in
numerous filtered ports which is behavior indicative of a default
firewall. A Nessus scan against Fedora 6 during the configuration
process revealed no direct vulnerabilities to the host itself.73"