In earlier versions of xen, the default network setup was a bridge - the domU guests attached to the bridge and were not affected by the firewall on dom0.
In recent versions (> 3.1.x, I think) with libvirt, the default set up is slightly different - the standard libvirt installation provides NAT based connectivity to virtual machines through virbr0, which has an IP address of 192.168.122.1. This is all described on the libvirt networking page.
However, I'd tried this set up several times before and always had problems - specifically, the bridge would not start automatically at boot, it failed and had to be brought up manually post-boot.
Today, I decided to dig in and get to the bottom of the issue. I hopped onto the #virt IRC channel on ORTC and asked for help. As luck would have it, danpb was in there and worked through things with me. The breakthrough was when he said:
<danpb> you have got ifcfg-br0 using TYPE=Bridge, and not TYPE=BRIDGE right ?
<danpb> it is stupidly case sensitive
I was actually using "TYPE=bridge". I made the change and rebooted and it worked!
Dan has since added a note about this to the wiki page.
One further useful tip: if you don't need libvirt's NAT network then you can remove it:
virsh net-destroy default
Or disable it, but leave it defined:
virsh net-autostart --disable default
Then restart libvirtd to see it disappear:
service libvirtd restart