Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Allow iChat to work through Apple's Firewall Network
I have not understood why people were not able to use iChat's Rendezvous mode to communicate with me. People stated they sent me a message, but I would never receive it. Turns out it was, in fact, my Apple built-in firewall blocking incoming iChat messages. This does not seem like it would be a hidden hint, but you would have thought Apple would have set iChat as one of the "common ports."

To allow incoming iChat connections, go to the Sharing System Preference panel, click on the Firewall tab, then click the "New" Button. Click on the Port drop down menu and select "Other." Enter 5298 for the port number. Optional, but recomended, enter "iChat" for the description.

[robg adds: I have changed the port number (it was 5289) and any references to Rendezvous, as this is really an iChat hint (see the comments below).]
    •    
  • Currently 1.75 / 5
  You rated: 1 / 5 (4 votes cast)
 
[25,711 views]  

Allow iChat to work through Apple's Firewall | 19 comments | Create New Account
Click here to return to the 'Allow iChat to work through Apple's Firewall' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Allow Rendezvous to work through Apple's Firewall
Authored by: deleted_user18 on Apr 09, '03 10:16:36AM

Strange. Are we talking of Rendezvous in a local network?

I have Apples light-firewall in sharing pane turned on on every machine and they can use iChat, mod_rendezvous, Hydra and all other Redezvous-software to communicate.

No need to specify an extra port to be opened



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: deleted_user18 on Apr 10, '03 03:03:32AM

I have to correct myself. iChat is not running. I can see other users, but cannot connect.

So I had to allow this extra port, too. But maybe this firewall port should be called "iChat" not "Rendezvous".



[ Reply to This | # ]
iChat does not equal Rendezvous
Authored by: fletcherpenney on Apr 09, '03 10:42:31AM

First, I believe the original post should substitute iChat instead of Rendezvous almost every time it is used. iChat is Apple's program that allows both AIM compatibility, and local chatting without a central server using Rendezvous. Rendezvous is Apple's implementation of ZeroConf - a means of allowing computers to set-up a network without relying on adminstrators or special services such as DNS server, etc. (This is definitely an oversimplification). Rendezvous is NOT an Instant Messaging protocol.

More importantly, I too noticed that I could not use iChat for local messages without modifying the firewall. Note that this is different from connecting to an AIM server, which does not require any modifications. The rendezvous portion of iChat allows it to detect other people on your local network using iChat, regardless of whether they are logged into AIM or not. It is actually 2 different chat programs working in parallel. Once I opened my firewall to port 5299, my computers were able to chat locally using iChat and without access to the internet to reach an AIM server.

As for the other comment, I agree that the other forms of Rendezvous Apps mentioned (Apple's mod_rendezvous, or the other (I can't remember the author right now, Hydra, Printer Sharing, AFP servers, etc) do not require firewall changes, as long as the appropriate server is allowed (HTTP for mod_rendezvous, etc)

From what I have been able to tell, Rendezvous works by creating "fake" domain names for local DNS without a central DNS server (such as BIND). The names are something like:
My_Home_Page._http._tcp._local. You do not need any firewall access to discover this (or it is allowed by default), but you DO need firewall access to reach the web server on this computer.

I am not sure if this clarifies things, or makes it more complicated... ;)



[ Reply to This | # ]
iChat does not equal Rendezvous - Typo
Authored by: fletcherpenney on Apr 09, '03 10:45:30AM

CORRECTION.
I allowed access on port 5298, not 5299. And not 5289 as the original poster used, though I have not tried this. I have seen both 5289 and 5298 used on various web pages, and it is possible they both work, or many people keep making the same typo.



[ Reply to This | # ]
use http port?
Authored by: Lizard_King on Apr 09, '03 06:21:34PM

I have to configure my AIM clients at work to use port 80 (http) because our corporate firewall blocks AIM's standard ports. Can't you just configure iChat to use port 80 instead?



[ Reply to This | # ]
iChat does not equal Rendezvous
Authored by: adriaant on Apr 09, '03 06:32:32PM

Erm, Hydra does require you to open a port as well in the firewall (see their homepage's FAQ).



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: sunnyd13 on Apr 09, '03 11:16:01AM

I have a small home network setup with my DSL plugged into a Linksys router, then an Airport coming out of one port and a desktop coming out of another. My laptop, that's serviced by the Airport, is not able to see the desktop in iChat. Since I don't have the Apple firewalls turned on on either machine, this port opening solution doesn't work.

Has anyone else experienced this problem with a combination wireless/wired network?



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: sfn on Apr 09, '03 11:39:05AM

For Rendezvous to work, all machines must be on the same subnet. Your
airport should be set to bridge-mode and should not be doing NAT or
handing out DHCP addresses.

---
-sfn



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: houchin on Apr 09, '03 11:54:32AM

Yes, I have seen this problem. However, I can use printer sharing, which I thought required Rendezvous. I'm using NetBarrier X and have it set to log blocked TCP connections, but trying to use iChat in Rendezvous mode does not generate any log entries.

Here's my network topology:
Cable modem hooked up to the WAN port of an XSense Pro wired only). SMC Barricade Wireless configured as an access point, hooked up to the XSense through a LAN port on the Barricade



[ Reply to This | # ]
Allow *iChat* to work through Apple's Firewall
Authored by: nicksay on Apr 09, '03 11:54:01AM

The above posters are correct in saying that this is really an iChat issue, not an inherent Rendezvous one. Apple has posted a few KnowledgeBase Documents about this issue, and I quote from one :

Symptoms 2 and 3 are caused when the Mac OS X Firewall, found in the Sharing preference pane, blocks the port used for local iChat traffic (5298). Firewall blocks this port in its default configuration. Follow these steps to open port 5298:
  1. Open System Preferences.
  2. Click Sharing.
  3. Click the Firewall tab.
  4. Click Stop.
  5. Click the New button.
  6. Choose Other from the Port Name pop-up menu.
  7. In the Port Number field, type: 5298
  8. In the Description field, type: Rendezvous
  9. Click OK.
  10. Click Start.

Note that the port number is 5298.



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: Davidge on Apr 09, '03 07:47:03PM

I'm not sure about everyone else, but "Rendevous iChat" was a selectable item in my Firewall config screen.

I'm running 10.2.4 but that option has been there a while.

---
--
David de Groot
Firewall Administrator and general Unix Geek



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: diamondsw on Apr 09, '03 07:48:33PM

Not in mine, also running 10.2.4.



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: JohnnyMnemonic on Apr 09, '03 10:57:11PM

That option wasn't there for me either, also running 10.2.4. I wonder what makes you special? If I had to guess, I would say that you set it once, and then forgot. However, I think this is an important addition, if not to the default list, then at least to the pull-down menu--I mean, they have Gnutella pre-configed, but not Rendezvous iChat?

I have tried both 5289 and 5298, and have found that 5298 needs to be open to allow in-bound connections. Interestingly, without either open still allows out-bound connections--I can send messages using Rendez iChat with both 5289 and 5298 closed, but can't receive.



[ Reply to This | # ]
Allow Rendezvous to work through Apple's Firewall
Authored by: bmerlin on Apr 10, '03 02:54:11AM

That's the entire point of a firewall--it allows outgoing communication, but not incoming except on ports that are specifically allowed.



[ Reply to This | # ]
re: Allow Rendezvous to work through Apple's Firewall
Authored by: huzzam on Apr 25, '03 02:29:48AM
That's the entire point of a firewall--it allows outgoing communication, but not incoming except on ports that are specifically allowed.

There are good reasons not to allow certain outbound connections as well, and most firewalls also allow such restrictions (including apple's, though not through the gui).

[ Reply to This | # ]

Allow Rendezvous to work through Apple's Firewall
Authored by: Jaharmi on Apr 10, '03 09:07:26AM

I also don't have this option in my firewall. Perhaps different versions of Mac OS X come with it preset in the firewall's potential rules, and those of us who started with earlier/different builds don't have it?

My Mac OS X installs came from the 10.2 retail CD, and my iBook/800's bundled 10.2.1 CD, if that helps.

Apple often shipped slightly different versions of Mac OS 8/9 with systems than came in retail packages, so I wouldn't be surprised that there could be slight differences in the Mac OS X versions you get through different channels. For example, a 10.2 retail CD set boots my iBook but doesn't allow me to view the screen at anything above 800x600 or 640x480 -- and then it wouldn't fully install after that -- but when I booted from my 10.2.1 bundled set, all was well.



[ Reply to This | # ]
More Filters for non-Apple-GUI Firewalls
Authored by: tbmaddux on Apr 10, '03 09:35:40AM
If like me you use a 3rd-party interface to 'ipfw' (such as BrickHouse) instead of the Firewall tab of the Sharing preference pane, you will need to allow UDP packets from source port 5353 and multicasts to 224.0.0.251 to allow Rendezvous (not iChat) to work. Examples:

add 2006 allow udp from any 5353 to any keep-state via en0

add 2007 allow all from any to 224.0.0.251 keep-state via en0


[ Reply to This | # ]

More Filters for non-Apple-GUI Firewalls
Authored by: jazz153 on Apr 26, '03 08:56:20PM

I am using a third-party firewall. When I attempt to send IM's, nothing is
ever received, nor can I receiving anything. My firewall is currently set
to pass information from selected IP addresses. Should I then be setting
up a new port for this purpose? How much control do I have regarding
who I wish to see me online? Help anyone?

---
Jazza



[ Reply to This | # ]
Allow iChat transfers to work through Apple's Firewall
Authored by: pwestbro on Jun 20, '03 05:54:13AM

It also looks like if you want to do file transfers with iChat, port 17421 also has to be opened.



[ Reply to This | # ]