The necessary ports to run the IBM i .NET Data Provider are:
1) 449 – Port Mapper. This is non-SSL, but no data is transferred on it. It is just a request to see what port to use. Client Access can be configured to not need this.
2) 8476 (9476 for SSL) – Signon Verification
3) 8471 (9471 for SSL) – Database Access
For info on all of the Client Access Ports look at http://www-01.ibm.com/support/docview.wss?uid=nas8N1019667.
The best article I found to explain these is http://www.mcpressonline.com/security/ibm-i-os400-i5os/iseries-access-through-a-firewall.html.
This Article explains how the Ports can be changed if you still felt it important to do that.
From this Article I set up Client Access to use the “Standard” ports so that you do not need to also open up port 449 for the Port Mapper. This is non-SSL, but no data is transferred on it. It is just a request to see what port to use.