It would be useful to have a default firewall script included in the installation. Most Arch users tend to go online directly after install to update packages etc. Newbies especially often forget adding a firewall. Having a simple default firewall would help newbies without hindering advanced users too much.

My suggestion is to:
1. Do either A or B

A. Create a default IPTABLES_CONF to be used with the iptables script in /etc/rc.d

B. Create /etc/rc.d/firewall

#!/bin/sh
#
# /etc/rc.d/firewall: start/stop firewall
#
# This is a simple firewall to protect your system after
# install. It allows your system to connect to the outside
# world while stopping all incoming traffic, exept that
# initiated by you. Look fore more advanced options at
# http://www.netfiler.org
#
if [ "$1" = "start" ]; then
/usr/sbin/iptables -F
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -A INPUT -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
elif [ "$1" = "stop" ]; then
killall -q /usr/sbin/iptables
else
echo "usage: $0 start|stop"
fi

#End of file

2. Add it by default to the daemons array in /etc/rc.conf (before the network-script is loaded).

3. Mention it in the documentation "3.1 Configuration Files"