I use pf (BSD packet filter via Terminal). The recommended use of pf is to block all incoming ports and then open those you need.
I want my system to work properly and don't miss things like Automatic Updates, AirPlay, AirDrop, etc.
I came across the following list but it doesn't specify if it is incoming or outgoing.
https://support.apple.com/en-us/HT202944
How can i find out?
Best Answer
As a rule of thumb: If you provide a service on your Mac, you have to open the appropriate incoming port(s).
Example:
If you have a standard web server running on your Mac, you have to open the incoming port 80 (http) and/or port 443 (https). You may customize those ports in the web server config (e.g. 10080/10443) and then would have to open the respective ports and close the default ones. To access the web server you would have to enter www.mywebserver.home:10080 in your browser.
From the viewpoint of a client the ports mentioned in the Apple list are all destination ports (To which port do i have to send a message to get a proper reply?). The source port may be an arbitrary one (mostly above port ~10000).
From the viewpoint of a server the ports mentioned in the Apple list are all source ports (or "incoming ports").
So if you don't provide any services you may block all incoming ports. As such Automatic Updates is no service you provide on your Mac, because you don't run a Software Update Server.
A different thing are AirDrop, AirPlay (and besides some push services), which don't look like servicing (like a traditional server) but indeed do. If you didn't exclude local networks previously in the firewall settings, you have to open the respective incoming ports on the servicing host(s).