You only need to keep open the ports your server services need it otherwise you should close it. If your customer need some non-standard port to open, you should ensure the port is not used for malicious purpose.
Get a few issues with customers trying to connect to external db's etc on non stadard ports. Do you even block out going?
Yes - also highly recommend block outgoing. You can specifically enable those ports you want to allow out. A block on outgoing prevents a lot of exploits from working, as when they try to "dial home" they can't connect.
You could enable port 3306 (MySQL) to certain locations, but a more secure way to do it is to put the IP you are connecting to into csf.allow (or run csf -a IP), which enables connection to all ports on that server. I believe you can allow just one port through as well; also you can allow dynamic DNS addresses through a different mechanism (csf.dyndns file I believe).