Many companies use a firewall system to isolate their networks from unauthorized access from the Internet. A firewall can be used to restrict access to your network by forwarding only requests targeted at specific TCP/IP addresses in the local network. Requests for all other network addresses are blocked by the firewall. You can allow Internet applications to access an instance of the SQL Server Database Engine in the local network by configuring the firewall to forward network requests that specify the network address of the instance of the Database Engine.
To work with a firewall, the instance of the Database Engine must listen on the network address that the firewall is configured to forward. A TCP/IP network address for SQL Server Database Engine consists of two parts: an IP address associated with one or more network cards in a computer, and a TCP port address specific to an instance of SQL Server. Default instances of the Database Engine use TCP port 1433 by default. Named instances, however, dynamically assign an unused TCP port number the first time the instance is started. The named instance can also dynamically change its TCP port address on a later startup if the original TCP port number is being used by another application. SQL Server only dynamically changes to an unused TCP port if the port it is currently listening on was itself dynamically selected; if a statically assigned port is in use by another application, SQL Server displays an error and continues to listen on other ports. It is unlikely, however, that another application would use 1433 since that port is a well-known registered address for the SQL Server Database Engine.
Source: technet.microsoft.com