Allow Bonjour chat through firewall?

[jnojr]

I'm trying to get Bonjour working through my firewall. I've added:

ipfw add 6600 allow udp from ${TRUSTED} 5353 to any dst-port 1024-65535 in;
ipfw add 6610 allow udp from any to 224.0.0.251 5353;

ip6fw add 6600 allow udp from ${TRUSTED6} 5353 to any 1024-65535 in;
ip6fw add 6610 allow udp from any to ff02::fb 5353;

But no joy. A recent test got:

Mar 13 11:37:54 flamingo kernel[0] <Debug>: ipfw: 65534 Deny TCP 192.168.92.51:54473 192.168.92.60:54938 in via en0

I'm not certain if this traffic will always be destined for port 54938.

So I added:

ipfw add 6620 allow tcp from ${TRUSTED} to me dst-port 1024-65535 in;

That works, but is WAY too "open". I cannot find any docs that tell exactly what ports Bonjour requires… everything just mentions UDP 5353.

 

[Alrescha]

You obviously know more than I do about it. Good luck.

 

[jnojr]

By "Bonjour chat" I am not sure if you mean Bonjour or iChat/Messages.

Umm, Bonjour, just like I said I have several traditional chat services working in Messages. That's a whole different ball of wax.

Bonjour is a discovery protocol for local networks. It uses network broadcasts to announce various services. These broadcasts do not pass through routers or firewalls by design.

Bonjour discovery (which uses multicasting, not broadcasting, for discovery. The destination for query/advertisement traffic is 224.0.0.251:5353 and FF02::FB:5353 UDP) is working just fine through the firewall. It's the chat payload, which is TCP unicast, which is the issue. I'm trying to find what source/destination ports Bonjour chat uses.

 

[mfram]

The problem with firewalls and Bonjour and is there isn't a set port that the Messages app will use. Every time is starts, it uses a different port and publishes that port with Bonjour. It doesn't need to be a 'well-known' port because Bonjour handles the service resolution.

I saw this effect by starting and exiting the Messages on my Mac. The first time it was port 53968. Next time it was 53985. All according to Bonjour, which I verified with 'netstat' on the Mac.

I used 'avahi-discover -a -r' on my Linux box and starting Messages on the Mac. This time it was 58349:

=   lan0 IPv4 user@host                            iChat Presence       local
   hostname = [host.local]
   address = [192.168.1.62]
   port = [58349]
   txt = ["txtvers=1" "1st=Blah" "aim=username" "last=Foo" "email=user@host" "port.p2pj=58349" "ext=5I" "phsh=0624ee8554baa20540583c732af0604b4a63b8fc" "status=avail"]

Notice the port number. That changes every time I start the Messages app and 'netstat -a' confirms it.

tcp4       0      0  *.58349                *.*                    LISTEN

So, unfortunately, you won't get a more specific answer than '1024-65535'. I don't know if there's some magic way to get Bonjour to communicate with the firewall to open ports associated with services that are started.