Here is an overview of the firewall rules needed by Consul to operate correctly.
Ports required by Consul servers and agents:
Ports used by Consul servers only:
Regarding firewalls, this depends on your particular implementation. On a Consul server, you probably want to allow communications on all the ports mentioned above.
On a Consul agent, things get more tricky. Port 8301 needs to be open, as this is required for communication with other agents and servers. Ports 8400, 8500, 8600 depend on your use-case. If you install a consul agent on every node, there is no need to open those ports in the host firewall. Your applications can just use 127.0.0.1 to communicate with the API and DNS interface.