I'm posting this because I found it nowhere else on the web while trying to get my M1 working from behind a firewall.
For ALL connections (direct and RELAY), the following is needed:
ALLOW tcp from $M1_IP to 220.127.116.11/27 dport 80,443
For RELAY connections (including the FireTV in particular, which doesn't even attempt direct connections), the following firewall rules are needed:
ALLOW tcp from $M1_IP to 18.104.22.168/27 dports 5000-5999
There was one outlier IP that it connected to, in the 8.x.x.x network, but the bulk went to this block... feel free to open it up to all destination IPs as you see fit.
For direct connections over TCP (including the Slingplayer Mac app):
FORWARD tcp from $CLIENT_IP to $FIREWALL_IP dport 5301, to $M1_IP dport 5301
ALLOW tcp from $CLIENT_IP to $M1_IP dport 5301
Some other interesting bits I found...
While Slingplayer and the M1 were setting up connectivity over TCP, I noticed them exchanging UDP packets, but they seemed to fall back on TCP. The M1 sent packets to a bunch of ports, and got responses from one of them (creating 2-way traffic briefly) before the stream stopped. I'm guessing that the M1 prefers UDP, but found something about my connectivity unsavory so it fell back. The ports included: 5680, 5681,5753-5778 (that range includes both sides).
Each time a connection was initiated, two HTTP streams were established. One had a header "Pragma: Sling-Connection-Type=Control, Session-Id=0" (obviously the out of band control channel) and the other "Pragma: Sling-Connection-Type=Stream, Session-Id=xxxxx" (obviously the in-band data stream). When connecting with the FireTV, the streams were initiated by the M1 to Sling's relay servers on ports 5000-5999. When connecting with Slingplayer, the connections are initiated by the client to port 5301 on the M1.
Upon booting up, the M1 obtains an IP address via DHCP. It then uses broadcasts Simple Service Discovery Protocol M-SEARCH packets with a "service type" header of "urn:schemas-upnp-org:device:InternetGatewayDevice:1", i.e. it is looking for a UPnP gateway. It sends 2 of these at 20 second intervals, for a total of 6 packets. Since I don't have anything listening for UPnP on my network there were no responses... the M1 appeared to give up.
At rest the M1 is listening on TCP ports 22, 5301, and 8888.
Port 22 is running a DropBear ssh daemon.
Port 5301 is the main service.
Port 8888 is silent or some weird protocol. It doesn't respond to TLS, HTTP, and it doesn't even disconnect me or complain when I spam garbage at it (head -c 8192 /dev/random | nc $M1_IP 8888).