There is a related problem to that. Even if the port is open, by default mdns name resolution does not succeed.
(Try opening UDP 5353 on host foo and pinging bar.local where bar has the firewall  turned off)
That is because foo sends the mdns packets from a random port X to port 5353 and bar returns them from 5353 to X. I don't know if SuSEfirewall2 can be set up to let such traffic through.
But it can be overcome in a different way - adding "mdns" to hosts in /etc/nsswitch.conf. Then both the source and destination ports are 5353 in both cases.

(Don't forget to restart nscd when testing)

Or what did you guys do to make it work?

If this port should be open by default that is it rather an enhancement for SuSEfirewall2 than the yast2-firewall.

in the external zone no port is open by default, period. => WONTFIX.

However, if we redesign the installation workflow in a way so that users have to specify a class for their network interfaces there is a chance that LAN interfaces get classed as such instead of the default which is external. Note that with a "don't ask questions"-policy mdns is pointless anyways as all hosts end up with the name 'linux'.

So let me restate the problem.
We have mdns installed by default.
We have firewall turned on by default.
We assign the network interfaces to the external zone by default.
Therefore, mdns does not work by default.
Adrian, Michael, how do you think it should work? How did you make it work for yourselves?

Reassigning to the security-team...

Ludwig says the security-team's position is don't open a port unless the user explicitly requests it.
Michael, can you comment on mdns and firewalling?

mls? any input/comments here?

No.

Ok, I close this now. Reopen if needed.