You only need port 2195 to be open for outbound connections (and also port 2196 for the Feedback Service).
You don't have to open any port for inbound connections, since Apple doesn't initiate the connection to your server - your server initiates the connection to Apple.