You shouldn't require any rules unless IPs or ports are blocked from being able to make connections out from the network, the most common situation that could occur is some sort of locked-down corporate network.
 
If you're looking to define a standardized port, 22021 is the default as listed here but they're just the defaults so they may be changed by node operators. The initial seed nodes will also use 443 or 4433.
 
22100-22199 might also be a helpful range that is used for multi-SN setups.