As long as the DB lives on the same machine, don't open a port for it. You've answered your own question about which port to open if you do move the DB (UDP 5432). When you open that port on the separate DB server, you probably want to set your firewalling rules to restrict it to talking to only the IP address of the webserver. That's not perfect, but it's a start. And of course you're going to want to set a password for database, to provide it with a little bit more protection also.
If you're just learning the system and security, do you really need to put the DB on a separate machine? You can serve a reasonable number of hits with the db on the same machine, unless that machine is very wimpy. If I were in your shoes, I'd keep the DB on the same machine unless it's clear from your load that it needs to move.
Another option would be to fit out the web server with an extra NIC and connect the db server to it alone. Whether or not that's feasable for you probably depends on how accomodating your colocation facility is, but it would allow you to protect traffic between the webserver and dbserver a bit better.