The Firewall pane in Server Admin includes an option for "DHCP and Netboot Server," which opens UDP port 67 for packets originating in the specified IP address group (typically a local subnet). However, this may not be adequate for actual DHCP clients.
If your clients are not getting DHCP leases, use the Advanced pane of the Firewall preference to add a rule similar to this one:
allow udp from any 68 to 255.255.255.255 dst-port 67 via en1
You may need to edit via en1 to specify the network interface corresponding to your local network with the DHCP clients. To specify via en1 in the Advanced pane, choose Other... from the Interface pop-up menu, and type via en1 (or whatever is appropriate for your configuration) in the text field.
During the initial stages of a DHCP packet exchange, the prospective DHCP clients don't yet have an address on the subnet. Such clients send two UDP broadcast packets (DHCP DISCOVER and REQUEST) from source address 0.0.0.0 to destination 255.255.255.255. However, the "allow" rule for packets from the specific local subnet will fail to match those packets, and they will be blocked by the catch-all rule that denies all packets.
This issue does not affect DHCP servers and firewalls configured using the Gateway Setup application, because it automatically adds a rule similar to the one mentioned above. Nor does this issue affect Mac OS X Server 10.3 to 10.3.9, because Panther Server, by default, does not contain the catch-all rule that denies all packets including UDP packets.