A little trick I use: you define a firewall rule that allows traffic to TCP ports listed in an ipset and similarly for UDP.
By default the sets are empty, but you can then use the ipset command to dynamically add ports to either set as required without having to reload your full set of firewall rules.