Using iChat with a firewall or NAT router
  1. All iChat traffic is UDP except for ports 5190 and 5298, which need to be open for both TCP and UDP; and 5220 and 5222 and 5223, which need to be open for TCP only.
  2. Ports 5297, 5298, and 5353 are used only for local traffic. Opening these ports may be necessary for firewall software that runs on a computer, rather than on a router. These ports do not need to be open at your uplink to the Internet.
  3. The Mac OS X firewall found in the Sharing preference pane filters only TCP packets in Mac OS X 10.3.9 or earlier. For this reason, most of the ports listed here do not need to be opened at the Mac OS X firewall.
  4. Some router-specific features or configurations may interfere with iChat. This includes port mapping on either end, SIP rewriting, SIP dropping, or dynamic opening of media ports.
  5. For firewall issues specific to file transfer, see "iChat: Cannot Send or Receive a File When Firewall Is Active".
  6. The SNATMAP service on port 5678 is used to determine the external Internet address of hosts so that connections between iChat users can properly function behind network address translation (NAT). The SNATMAP service simply communicates to clients the Internet address that connected to it. This service runs on an Apple server, but does not send personal information to Apple. When certain iChat features are used, this service will be contacted. Blocking this service may cause issues with iChat connections with hosts on networks that use NAT.
firewall の port が開いていない。
router の NAT の仕様がまずい。(a full cone NAT 必須)
だから Firewall の port を開けてもダメな場合は router が a full cone NAT router でない可能性がある。 Router type: Port Restricted はまずい。

a full cone NAT router

iChat Help
 Solving problems
  Other problems
   If your router is causing connection problems

MacOSX Firewall の Allow incoming connections

iChat を Allow って必要なのだろうか。
System Preferences
Automatically allow signed software to receive incoming connections をオンにしていれば iChat を登録しなくても大丈夫。 iChat は signed software ですから。 Allows software signed by a valid certificate authority to provide services accessed from the network.

Google: ichat port

iChat: Cannot Send or Receive a File When Firewall Is Active
You may be able to receive a file but not send them. In its default state, the Mac OS X firewall blocks file transfers using iChat or America Online AIM software. If either the sender or receiver has turned on the Mac OS X firewall, the transfer may be blocked. If you do not want to turn off firewall at the sending computer, a different file sharing service may be used instead of iChat.
iChat でファイル転送したいなら
MacOSX Firewall のポートを開けよ
File Sharing でファイル転送せよ
File Sharing 使えばいいのわかってますが、それでは味気ないというか。 iChat で画像をふわっと送れるほうが楽しいわけです。 まあ、セキュリティ的には Firewall にそんな穴開けたくないということもあるわけですね。 「セキュリティで妥協して楽しさをとる」かどうかというおはなし。

Open sesame!

Ports to open for Mac OS X firewall

When using the built-in Mac OS X firewall,
  you only need to open these ports:
    5060, 5190, 5297, 5298, 5678, 16384 through 16403.
If using Jabber in Mac OS X 10.4 or later,
    5220, 5222, 5223
  as well. 
当然ながらルーターの firewall も開けなければならない。


となると、ルーター設定の引き継ぎ。 Apple AirPort (AirMac) Extreme Base Station を導入。 NAT の設定(port forwarding table) はどうすればいい?


BBR-4MG: taking PPPoE. using address transfer table.
Mac mini: manually configured local IP address
web server Mac mini

Configure IPv4: Manually
IP Address:

router BBR-4MG


LAN IP address:
DHCP server: から 16台


PPPoE接続先: Flet's ADSL


TCP:80  <--->
TCP:22  <--->
TCP:548 <--->
548 と 5900 ってなに? 自分でやっといてもう忘れてる。 ここでふと気付いた、iChat のポートを開けなければならないのではないか、と。 548 は AFP (= File Sharing)、 5900 は VNC (= Screen Sharing)
for iChat:  5060, 5190, 5297, 5298, 5678, 16384-16403
for Jabber: 5220, 5222, 5223

first posted: 2012-02-27 20:23:53
last modified: 2012-02-28 02:54:34