Having studied lots of reference material:

https://support.apple.com/en-us/HT202944
http://stackoverflow.com/questions/10688852/ip-address-ranges-for-apns-servers
https://support.apple.com/en-us/HT200149
https://discussions.apple.com/thread/5226424?start=0&tstart=0
https://www-01.ibm.com/support/knowledgecenter/SSKTXQ_9.0.0/admin/config/config_proxy_mobile.dita

it is very clear that the true situation is not very clear. However, a few things appear consistent.

First of all the IP range. Apple has 17.0.0.0/8 reserved to itself, that’s every IP4 address starting with 17. So if you were to configure your firewall to allow everything outbound to that gigantic range, it appears you’re done. That is a huge range though, and although it appears to be controlled by Apple, it is not clear that Apple is vetting all data at all of those IPs.

So we have the DNS hostnames. *.apple.com seems to cover everything, as long as “*” is multilevel in its reference, i.e.., as long as the rule refers not only to a.apple.com, but a.a.apple.com as well. If your firewall is one of the better ones which allows FQDN rule lookups, this is a much better choice than that huge subnet.

Thirdly, the ports. Apple gives this unbelievably huge list of ports, including (for just one example of strangeness) the long-obsolete “finger” protocol port. This writer will not consider opening that entire list. Happily, other references (when combined!) suggest that the following list should do nicely, in TCP only:

80
443
8088
2195
2196