Hi joerg,
Haha - I wouldn't say I'm more knowledgeable - you seem just as clued up, I'm just adding my experience in to the mix in the hope that someone might be able to set matters straight!
I see what you mean about the wording around "send" and " receive", it does make it sound like data is sent on one port and received on another, but I don't believe that is the case. Your machine has to have a connection established to a service on one of Apples servers in order to send messages back and forth - but someone has to initiate that connection first. The question is who initiates that connection? Does Apple's servers come to you to connect, or do you go to them? When a process wants to establish a connection with another process running on another machine it needs to know where that machine is (the IP address), and of all the services running on that machine, how to connect to the right one, this is designated by the port.
So if Apple connected to you, they'd need to know your IP address or hostname and try to connect to you when your machine was up and running. But that wouldn't be feasible, so it's up to you to connect to them. Software running on your machine will connect to one of Apples servers on a well known port to establish the connection.
When services on your machine creates a connection, it too is designated a port by the OS to communicate on (the local port) and then attempt to connect to the remote service on a given port. Now for security reasons you don't want anyone trying to randomly connect to ports opened by processes on your machine, so your airport will likely be blocking all inbound connections, but it's unlikely it'll be blocking you from making outbound connections. For example, you wouldn't be able to view websites unless ports 80 (and 443 for https) were explicitly opened by your airport. It's generally the case that all outbound connections are permitted - it's the inbound ones you don't want!
So, as Profile Manager can send push notifications in order to remotely update profiles on other devices, it needs to make a connection to Apples push service for profile update notifications on ports 2195 and 2196. I'm assuming that this service is used to notify devices of profile updates and sends back the status of the update to Profile Manager running on your server. So you can both send and recieve data on ports 2195 and 2196 once your machine has established the connection.
Now there appears to be another push notification service which is not specific to Profile Manager on port 5223. I'm guessing this is the one that Mail uses (and probably other services too) to notify devices that a new mail has arrived. Traffic would indeed flow both ways - send and receive - but again, you would be initiating the connection to Apple, so unless your airport is setup to deny outbound connections, then you would not need to open this port. Doing so would mean that the outside world can connect to port 5223 on your machine. It's unlike any process on your machine would be using that port, but it does open up your internal network to the world a little more.
If I run this:
netstat -f inet -p tcp
I get something like this:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 server.domain.com 49198 17.149.32.78.5223 ESTABLISHED
tcp4 0 0 server.domain.com 49317 17.149.35.167.2195 ESTABLISHED
This shows that a process on my server has a connection from port 49198 to the remote port 5223 on Apple's, and from local port 49317 to remote port 2195 on Apple's. Both connect TO Apple. No processes are listening on 5223, 2195 or 2196 on my server for Apple to connect in to my network. You can see those ports reside on Apples end, not mine.
I'm just wondering it either your airport is oddly set up to block outbound connections which you have opened, so opening outbound connections fixed it, or something else got fixed at the same time you opened those inbound ports. It would be interested to see if closing them again has any negative effect on your push service.
Ok, so I've learned something there - you don't even need to reroll a device to have this work! Cool!
I hope this has helped!
Paul