The replication server component in each directory server listens on a TCP/IP port for replication communication (the replication server port). This port, typically 8989, must be accessible from all directory servers participating in replication. The server-to-server communication channel is kept alive using a heartbeat, which occurs every 10 seconds. This traffic will prevent firewalls from closing connections prematurely.
The replication command-line utility (dsreplication) requires access to all directory servers participating in replication. This includes the LDAP or LDAPS port of the directory servers.
Keep these communication requirements in mind when configuring firewalls.