jnojr

Q: Allow Bonjour chat through firewall

I have the following ipfw / ip6fw rules for Bonjour:

 

    06600 allow udp from 192.168.92.0/24 5353 to any dst-port 49152-65535 in

    06610 allow udp from any to 224.0.0.251 dst-port 5353

 

    06600 allow udp from 1111:2222:10:92::/64 5353 to any 49152-65535 in

    06610 allow udp from any to ff02::fb 5353

 

That allows me to be visible in Messages to other hosts on my VLAN, but if they try to send me a message I don't get it.  I do get denied packets like:

 

    Mar 13 11:37:54 flamingo kernel[0] <Debug>: ipfw: 65534 Deny TCP 192.168.92.51:54473 192.168.92.60:54938 in via en0

 

The "fix was:

 

    06620 allow tcp from 192.168.92.0/24 49152-65535 to any 49152-65535 in

 

    06620 allow udp from 1111:2222:10:92::/64 49152-65535 to any 49152-65535 in

 

But I'd really like to find out what port(s) Bonjour is using for chat so I can restrict this as much as possible.

OS X Mountain Lion (10.8.5)

Posted on Mar 14, 2014 1:44 PM

Close

Q: Allow Bonjour chat through firewall

  • All replies
  • Helpful answers

  • by Ralph Johns (UK),

    Ralph Johns (UK) Ralph Johns (UK) Mar 14, 2014 3:12 PM in response to jnojr
    Level 9 (73,087 points)
    Applications
    Mar 14, 2014 3:12 PM in response to jnojr

    Hi,

     

    It has become less clear over time.

    http://support.apple.com/kb/HT1507  Was written with iChat 2 in operation and was updated when Jabber was added to iChat 3

     

    Bonjour as a "login" uses the same port as the Shares in the finder (port 5353)

    Text and File Transfers are then listed as on port 5297 and 5298 with a mixture or TCP and UDP protocols  (see the notes at the bottom).

     

    Then A/V chats used to use the same ports as any other A/V chat.

    In iChat 4 and later this becomes Port 5678 for the Visible Invite.

    On acceptance of that it moves to port 16402 as first choice to send the SIP request (before it was the port 5060)

    Then the Video (or Audio Chat happens on a single port, usually still port 16402)

    Prior to this it was 4 ports starting at the lower end of 16384-16403 as the Doc above.

     

    As iChat has progressed and into Messages it seems the A/V connections are much more dynamic  and do not seem to stick to anything like the original listed ports.

    A later Doc that was effectively fro iChat 4 and above no longer exists  (It detailed the reduction of the "group of 20" ports to 10 (16393-16402) and the change in the SIP port)

     

    Through a router Messages and late version of iChat uses UPnP to good effect.

    This allows the app to say which ports to open and the close on many routers after a period of non use.

     

    I have seen issues when routers or modems allow both IPv4 and IPv6 to be connected.

    iChat in the past has seen this as two network connections which is cannot resolve.

     

    I do use Little Snitch and most A/V chats seems to be around the 4xxxx range.

    This does appear to be because the app has become more dynamic over port choices.

     

    Other than that I am not familiar with what you are doing and have also not used a VPN to use iChat or Messages.

     

    3Sigcopy2.png

    10:12 pm      Friday; March 14, 2014

     

      iMac 2.5Ghz i5 2011 (Mavericks 10.9)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),
     Couple of iPhones and an iPad