By default, the OS X Lion firewall enabled and stealth actually has a few ports open, despite the System Preferences displaying no services running and no ports open.
A nessus scan will reveal the following UDP ports open and broadcasting information:
- 5353 / UDP
- 123 / UDP
- 127 / UDP
Note: Ignore port 4242 TCP on these screenshots. I am knowingly running Crashplan on this port! 
This occurs even with the following security configurations made as tight as possible by the end user in the System Preferences:
5353 udp is used for mDNS, or Bonjour. Apple has wrapped this service into DNS for OS X, which makes this difficult to disable. It is possible to disable the broadcasting portion of this service with some hackery as noted in this Apple KB article.
123 udp is used for NTP, but for operation of an NTP client this port does not have to be open in the firewall. Again there are no user configurable options to disable this.
127 udp is used for Windows NetBIOS to broadcast the host’s NetBIOS name for compatibility in Windows networks. This is on by default even with no Sharing ‘services’ enabled in the System Preferences. This should be user configurable in the System Preferences to disable broadasting this service.
If you don’t have nessus handy, you can also verify these particular UDP ports on your OS X machine with nmap:
$ sudo nmap -sU -p 123,127,5353 172.16.1.107 Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-19 11:42 EDT Nmap scan report for 172.16.1.107 Host is up (0.00063s latency). PORT STATE SERVICE 123/udp open ntp 127/udp open|filtered locus-con 5353/udp open|filtered zeroconf MAC Address: 00:11:22:33:44:55 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
Cool!
