http://technet.microsoft.com/en-us/library/cc646023.aspx states
Replication connections to SQL Server use the typical regular Database Engine ports (TCP port 1433 for the default instance, etc.)
Web synchronization and FTP/UNC access for replication snapshot require additional ports to be opened on the firewall. To transfer initial data and schema from one location to another, replication can use FTP (TCP port 21), or sync over HTTP (TCP port 80) or File and Print Sharing (TCP port 137,138, or 139).
What this doesn't state is whether everything but 1433 can be closed once the initial snapshot has been restored on the subscribers. Are the ports required to be open permanently? I'm airing towards "yes they do" but ideally I need as much closed as possible.
Thanks
–Edit
Sorry I forgot to say that its a pull replication, with the distributor sitting on the publisher server. I'm interested in what needs to be open between the distributor and the subscriber.
Best Answer
Assuming a push subscription and a default instance of SQL on the Subscriber, only inbound TCP port 1433 access at the subscriber is needed (Distributor -> port 1433 on Subscriber). The exception is if you are choosing an alternate delivery transport mechanism (FTP/HTTP/etc...) for the snapshot. Connectivity for the alternate transport mechanism is only needed during snapshot delivery. Once snapshot delivery is complete, the transactions/commands are delivered via TCP port 1433. Standard Transactional replication is 1-way, so connectivity from the subscriber to the distributor on port 1433 is not necessary.
In the case of a pull subscription, the Subscriber will pull from the distributor, so only inbound TCP port 1433 access @ the distributor (Subscriber -> Distributor) is needed (plus any ports necessary for alternative snapshot delivery methods).