Does XCOM require firewalls to be opened?
The firewall must allow routing for destination IP-Number=any and IPPort=8044 or whatever ports you are using. The reason you can't filter based on incoming IP number is that it is random. The partner XCOM must request a socket from the local machine's IP-stack when sending a transfer. The IPstack will give the next available socket. XCOM has no way of predicting which IPPORT and which IPADDRESS comprise that socket. This process is similar to the way many other TCP-based applications function.
Looking at an example of how XCOM goes through the process of getting an IP Socket, opening the socket and getting an IP session in starting a transfer, it becomes clear why a firewall filter can be configured in just the one way if XCOM traffic is to flow through.
Example:
When XCOM processes a locally initiated IP-transfer:
This means that the request always addresses the remote IP-number, Port=8044 based on the local parameter IP-Number, Available-Port.
Looking via a "netstat"-command this will show:
-------------------------------------------------------------- Active Connections Proto Local Address Foreign Address State TCP <local host>:1546 <remote host>:8044 ESTABLISHED TCP <local host>:8044 <remote host>:3062 ESTABLISHED --------------------------------------------------------------
This netstat output above shows 2 currently active transfers. One transfer is locally initiated on <local host> and it setup a TCP session to <remote host>:8044 while at the same time a totally different transfer also ran from <remote host> against <local host>. You can see that <remote host> provided a different "next available" socket/port value (3062) which was in session with the 8044-served port on <local host>.
Based on the above, you can see that the only way you can filter traffic at a firewall and let all XCOM transfers through, is to allow TCP-session establishment for Destination-Port 8044. Additionally you could add rules permitting certain, valid IP-ranges, but under no circumstance can you specify a rule for the local socket/port. The local socket/port is always requested from the local IP-stack and the value is random.