NONE.
Really, sorry to burst that bubble... You can't tell what ports are safe simply by looking at their numbers, those port numbers don't matter all that much, you can't mount an attack through a 16-bit number. The security of a port depends mostly on what application you'll reach through that port. The fact that everyone lets ports 25 and 80 (SMTP and HTTP) through their firewalls doesn't mean it's safe... The problem is not in the network layer. It is in how the application processes the data that it receives. This data may be received through port 21, 80, 6666, a serial line, floppy or through singing telegram. If the application is not safe, it does not matter how the data gets to it. The application data is where the real danger lies.
Although a strong hardware/software firewall is a very important first line of defence, with the number of new network protocols and networked applications ( neither designed with security in mind), a firewall might not be enough to protect against all data-driven attacks.
