Initial list of significant ports:
Server ports (destinations):
88/udp Kerberos 5 authentication
750/udp Kerberos 4 authentication
7004/udp kaserver / fakeka / ka-forwarder
Note: kaserver also listens on the previous 2 ports, and all Windows clients use them; older kinit and aklog uses 750, newer kinit aklog uses 88, klog uses 7004. Source ports are ephemeral. Additional ports are used for Kerberos (but not kaserver) administration, primarily 465/tcp (kpasswd) and 749/tcp (kadmin), again with ephemeral source ports.
123/udp time synchronization
Note that ntpd can be configured to use 123/udp as the source port, but modern versions will use the normal client port allocation mechanisms.
53/udp DNS
It is possible to restrict clients to using only port 53/udp as the source port, by configuring a caching nameserver on the client and configuring it to only use 53/udp for outgoing queries.
514/udp syslog
Only if clients are configured for remote logging. The source port will depend on the syslog implementation but is usually ephemeral.
7002/udp ptserver (AFS authorization)
Clients use this at login (aklog or klog) time. Be aware that credential "forwarding" does not actually copy an existing credential, but requests a new one using the old one as an authenticator; as such, it requires both ptserver and kaserver or kdc to be reachable from the destination host. Source ports are ephemeral.
7000/udp fileserver
7003/udp vlserver
7005/udp volserver
Clients use these to locate volumes and read/write data; servers communicate between each other. Both use ephemeral ports.
7001/udp cache manager
This is a service on clients; clients notify servers that they are using data via callbacks, and servers contact the clients to "break the callback" and notify them of changes to the data. The source port is 7000/udp (fileserver). Servers also regularly "ping" clients in an attempt to maintain NAT mappings.
7007/udp bosserver
Service maintenance service; servers themselves do not use this directly (but often also run clients which may be used to talk to it). The source port is ephemeral.
Optional services:
7008/udp upserver
If you are using the update service (non-default) then this port is used to communicate with it. Source ports are ephemeral.
7009/udp knfs
AFS/NFS translator remote services. Only used with the AFS/NFS translator, which has not been functional for many years because it depends on kernel internals for NFS integration.
7020-7032/udp buserver / butc
AFS backup service. 7020 is the controller coordinator; 7021 is command and control; other ports are for tape controllers. Source ports are ephemeral. Note that tape controllers may run on AFS clients, and will communicate with fileserver, volserver, and vlserver as well as the coordinator and buserver.
7101/udp xstat
2106/udp fsmonitor
Debugging and statistics collection.
4711/udp arlad
Arla was an AFS implementation for platforms not supported by Transarc AFS. It used port 4711 instead of 7001 for callbacks.
Notes
Ephemeral ports are typically allocated starting from 1024; the upper range depends on the platform and the system configuration, but often extends over 32000 and may potentially be up to 65534. In general there is no control over the port usage beyond constraining the kernel's willingness to assign ephemeral ports to any process. Be aware that severe constraints on ephemeral UDP ports will have a significant impact on other UDP services, notably DNS and potentially syslog.
In most cases, clients do not need access to the entire 7000-7011 port range allocated for AFS; 7000-7005 is sufficient, if necessary add 7007 for bos (controlling servers from clients) and 7008 for backup control.