When a connection to a named instance of the sql server is made, the connection goes to the sql browser service which listens on the UDP port 1434 (so we can control access to this UDP port and therefore prevent the handoff to the named instance port ever being requested). The sql browser service replies to the client with port no. on which the named instance of the sql server listens and then the client is redirected and connects to the port no. provided by sql server service.
I do not know why Microsoft cannot pursuade CISCO to write a "SQLServer FIXUP" which would solve the problem of dynamic ports (we have this in the Oracle world as well).
If 1434/udp is closed to others, the only way in for forbidden users now is a hack on the dynamic port which is beyond my skills and knowledge. I would only hope that if my servers are reasonably difficult to get into an intruder would look elsewhere for his kicks. Omitting the "eq" directive in the ACL makes the scope "all ports" and would put the router back in control of who is accessing the sqlserver and from where but may be too general (all ports) for individual ips passed by the filter, unless the sqlserver was correctly hardened.
Two things here. First, a named instance doesn't have to use a dynamic port. You can configure it to use a static port. Not only does this permit you to build your ACLs, but it also means you can have an AD admin build the SPNs and not configure the SQL Server service account to be able to update the SPN information dynamically in AD (which requires delegation of permissions).
Second, if the dynamic port is exposed (you allow a connection to it), it's trivial to figure out what port SQL Server is listening on. nmap will do that, and has switches to do so stealthily to try and avoid IDS/IPS. What you're effectively doing is a port scan + fingerprinting of the service that responds on that port. SQL Server is fairly easy to pick up. Now, if your SQL Server is exposed to the Internet and I don't have much to worry about with respect to IDS/IPS, while you're not low-hanging fruit, you're only one step up from it.
K. Brian Kelley