Hi Stefan,
If you really want a firewll to be able to any kind of content filtering, then you should consider using http as your transport layer between the Agent and the EM, as our default Isengard communication protocol is unknown to the rest of mankind and therefore can not be analyzed/filtered, the Firewall needs to consider it as raw TCP.
That being said, can you please explicit what problem you are encountering? As Fred said, a firewall rule needs to be created with the following attributes:
Source: Any server that has an Agent on it
Destination: Any Enterprise Manager that the Agents might try to contact on port 5001 by default. (Includes the MOM and the Collectors).