defaults write /Library/Preferences/com.apple.sharing.firewall
firewall -dict-add 'Apple Remote Desktop' '<dict><key>editable</key>
<integer>0</integer><key>enable</key><integer>1</integer><key>port</key>
<array><string>5900-5902</string><string>3283</string></array></dict>'
The only problem I encountered with this method is that the defaults command tends to change the ownership of the com.apple.sharing.firewall file from -rw-r--r-- root admin, which also disables the firewall. Changing the permissions back and rebooting will reactivate the built-in firewall.
[robg adds: To make the above command presentable, I broke it onto multiple rows. There's a space at the end of the first row, then all the remaining rows should be joined into one with no additional spaces.]

