As a follow on, we tested the firewall rules provided in the KB2047585 with VCSA 5.5 and it broke vCenter. We researched the ports required by vCenter and found a few KBs, and it appears that the list of ports specified in the firewall.txt script may be incomplete. Unfortunately, the KBs on required ports are not especially consistent among themselves and not all of them specify port, protocol and direction, so it will take a fair bit of testing to figure out exactly which additional rules are required. Below are the discrepancies I found with the firewall.txt per KB.
missing from http://kb.vmware.com/kb/2012773 (VCSA specific):
135
8090
21100
22000
22100
11711
11712
8190
8191
missing from http://kb.vmware.com/kb/1012382 (vCenter 5.x and 5.5 from list of all VMware products):
88
135
161
162
623
903
8005
8006
8009
8083
8085
8086
8087
8089
60099
8003
2012
2013
2014
7331
11711
11712
12721
49000 to 65000
missing from http://kb.vmware.com/kb/2051575 (vCenter on Windows):
88
903
2012
2013
2014
60099
7331
9875-9877
10111
11711
11712
12721
49000 to 65000
8190
8191
22000
22100
21100