Technically, you just need port 4000 TCP (or the port you decided to use for the NX service).
I presume the additional port 24004 is what the client or server selected at random for UDP. You can change it or disable UDP altogether in Edit connection, Advanced.
Both the client and the server try to use UDP, if they can. First the server will try to use the UDP port opened by the client, then the client will try to establish the communication on the UDP port opened by the server. If both attempts fail, the communication will continue using only the TCP port.
At the time I’m writing, the ports are added automatically to the firewall configuration on Windows. Not so on Mac and Linux. This is going to change in the future.