yep, I ran nmap locally and was like...well, it's listening. I ran nmap remotely and it returned filtered.
Perhaps the weirdest thing is that before when I have tried to install manually with the firewall on things have gotten in an unrecoverable stat.
This latest install I was using Ansible, and the Ansible playbook seems to have taken care of the port situation.
That said, maybe the port stuff was a bug that was fixed when I moved to #foreman 2.1 and #katello 3.16. I think 3.16 may still strictly speaking be RC, but...whatever.