tl;dr: I think B is correct, meaning those are the ports that should be diallable from the outside world.
(all below TCP)
4001 is for the go-ipfs swarm endpoint.
9096 is for the default ipfs-cluster peer swarm endpoint. ipfs-cluster-follow with remote configurations may however be given a different port, even a UDP/quic port, depending on what the fetched config indicates.
8080 is for the go-ipfs gateway endpoint (should be listening on localhost only, and can be disabled if not used).
ICMP ? No idea. But ipfs and cluster do autodiscovery using mDNS LAN multicast.
Additionally, 5001 is the ipfs daemon API port, which listens on localhost.
So, in your firewall, dialable from the outside should only be TCP 4001 and 9096 I think.