Allow Bonjour chat through firewall?

Discussion in 'macOS' started by jnojr, Mar 13, 2014.

  1. jnojr macrumors newbie

    Joined:
    Nov 5, 2013
    #1
    I'm trying to get Bonjour working through my firewall. I've added:

    Code:
    ipfw add 6600 allow udp from ${TRUSTED} 5353 to any dst-port 1024-65535 in;
    ipfw add 6610 allow udp from any to 224.0.0.251 5353;
    
    ip6fw add 6600 allow udp from ${TRUSTED6} 5353 to any 1024-65535 in;
    ip6fw add 6610 allow udp from any to ff02::fb 5353;
    But no joy. A recent test got:

    Code:
    Mar 13 11:37:54 flamingo kernel[0] <Debug>: ipfw: 65534 Deny TCP 192.168.92.51:54473 192.168.92.60:54938 in via en0
    I'm not certain if this traffic will always be destined for port 54938.

    So I added:

    Code:
    ipfw add 6620 allow tcp from ${TRUSTED} to me dst-port 1024-65535 in;
    That works, but is WAY too "open". I cannot find any docs that tell exactly what ports Bonjour requires… everything just mentions UDP 5353.
     
  2. Alrescha, Mar 13, 2014
    Last edited: Mar 14, 2014

    Alrescha macrumors 68020

    Joined:
    Jan 1, 2008
    #2
    You obviously know more than I do about it. Good luck.
     
  3. jnojr thread starter macrumors newbie

    Joined:
    Nov 5, 2013
    #3
    Umm, Bonjour, just like I said ;) I have several traditional chat services working in Messages. That's a whole different ball of wax.

    Bonjour discovery (which uses multicasting, not broadcasting, for discovery. The destination for query/advertisement traffic is 224.0.0.251:5353 and FF02::FB:5353 UDP) is working just fine through the firewall. It's the chat payload, which is TCP unicast, which is the issue. I'm trying to find what source/destination ports Bonjour chat uses.
     
  4. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #4
    The problem with firewalls and Bonjour and is there isn't a set port that the Messages app will use. Every time is starts, it uses a different port and publishes that port with Bonjour. It doesn't need to be a 'well-known' port because Bonjour handles the service resolution.

    I saw this effect by starting and exiting the Messages on my Mac. The first time it was port 53968. Next time it was 53985. All according to Bonjour, which I verified with 'netstat' on the Mac.

    I used 'avahi-discover -a -r' on my Linux box and starting Messages on the Mac. This time it was 58349:

    Code:
    =   lan0 IPv4 user@host                            iChat Presence       local
       hostname = [host.local]
       address = [192.168.1.62]
       port = [58349]
       txt = ["txtvers=1" "1st=Blah" "aim=username" "last=Foo" "email=user@host" "port.p2pj=58349" "ext=5I" "phsh=0624ee8554baa20540583c732af0604b4a63b8fc" "status=avail"]
    
    Notice the port number. That changes every time I start the Messages app and 'netstat -a' confirms it.

    Code:
    tcp4       0      0  *.58349                *.*                    LISTEN     
    
    So, unfortunately, you won't get a more specific answer than '1024-65535'. I don't know if there's some magic way to get Bonjour to communicate with the firewall to open ports associated with services that are started.
     

Share This Page