Using iChat with a firewall or NAT router

How to use iChat with a firewall or NAT router in Mac OS X v10.4 or earlier.

When using iChat with NAT routers and firewalls with Mac OS X v10.4 or earlier, certain ports must be open to allow video and audio conferencing behind a firewall. Some devices have these ports open by default, while others require configuration.

Note: This article lists all ports used by iChat, not just those used by audio/visual content. A list of individual port functions can be found in "'Well known' TCP and UDP ports used by Apple software products."

Network Address Translation (NAT)

Some Internet service providers (ISPs) and home networking routers use a technology called network address translation (NAT) to share an Internet connection. Though this often interferes with video and audio connections in other conferencing applications, iChat uses an innovative approach to establish a direct audio and video connection even on networks that use NAT. In fact, iChat works fine with many popular household routers in their out-of-box configurations.

About firewalls

Frequently used by corporations and educational institutions for increased security, firewalls work by blocking certain Internet traffic from entering or leaving a network. Mac OS X also includes a personal firewall that you can enable in Sharing preferences of System Preferences.

Internet traffic moves through a firewall based on service identification numbers that are known as ports. Certain ports must be open for iChat to work. Network administrators typically open a minimal amount of network ports, allowing the traffic for approved applications to enter and leave the network while blocking other network traffic.

iChat uses a range of ports for different purposes. When conferencing, ports 16384 to 16403 are used to send, receive, and optimize AV streams. For a single conference, 4 ports from that range of 20 are utilized to send and receive audio and video. Additionally, port 5060 is used for signaling and initiation of AV chat invitations, and 5678 is used for SNATMAP, for a total of 22 ports open. Ports used for other purposes, such as Bonjour and file transfer, are listed in the next two sections.

Tip: Traffic that goes through ports may be subdivided into different types, including TCP and UDP. iChat uses both of these, but mainly UDP. Advanced users can find more information on this in the Notes section below.

Ports to open for Mac OS X firewall

Note: The built-in Mac OS X firewall from Mac OS X v10.5 or later will not interfere with iChat. There is no need to open specific ports.

For Mac OS X v10.4 or earlier: When using the built-in Mac OS X firewall, you only need to open these ports: 5060, 5190, 5297, 5298, 5678, 16384 through 16403. If using Jabber in Mac OS X v10.4, open 5220, 5222, 5223 as well.

Tip: If you don't want to bother, a workaround is to temporarily turn off the firewall on each computer.

To chat with the Mac OS X firewall active in Mac OS X v10.4 or earlier, follow these steps to add the necessary ports:

  1. From the Apple menu, choose System Preferences.
  2. Click Sharing.
  3. Click the Firewall tab.
  4. Click New.
  5. From the Port Name pop-up menu, choose Other.
  6. In Mac OS X 10.3.9 or earlier, in the Port Number, Range or Series field, type in the following, then go to step 7:

    5060, 5190, 5297, 5298, 5678, 16384-16403

    In Mac OS X 10.4 or later, in the TCP Port Numbers field, type (you can omit 5220, 5222, 5223 if you don't use Jabber):
    5190, 5220, 5222, 5223, 5298

    In the UDP Port Numbers field type:
    5060, 5190, 5297, 5298, 5353, 5678, 16384-16403
  7. In the Description field type in: iChat
  8. Click OK.

Ports to open for third-party firewall

If you use a third-party firewall, be sure to open these ports:

5060, 5190, 5297, 5298, 5353, 5678, and 16384 through 16403.

If that does not work, you could open all ports from 1024 through 65535 (or disable the firewall temporarily).

Advanced configuration information

More complex routers and firewalls may allow you to specify criteria such as TCP/UDP, incoming/outgoing packets, or source/destination ports. In that case you can use the following tables. Configuration A is less secure than Configuration B, but it works with a wider range of router configurations.

Configuration A

Outgoing Packets
Internal Source Port
External Destination Port
5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678, 16384-16403
Incoming Packets
External Source Port
Internal Destination Port
5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678, 16384-16403

Configuration B

Outgoing Packets

Internal Source Port
External Destination Port
5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 16384-16403
5060, 5190, 5297, 5298, 5353, 5678 16384-16403

Incoming Packets

External Source Port
Internal Destination Port
5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678 16384-16403
5060, 5190, 5297, 5298, 5353, 16384-16403

Additional Information


  1. All iChat traffic is UDP except for ports 5190 and 5298, which need to be open for both TCP and UDP; and 5220 and 5222 and 5223, which need to be open for TCP only.
  2. Ports 5297, 5298, and 5353 are used only for local traffic. Opening these ports may be necessary for firewall software that runs on a computer, rather than on a router. These ports do not need to be open at your uplink to the Internet.
  3. The Mac OS X firewall found in the Sharing preference pane filters only TCP packets in Mac OS X 10.3.9 or earlier. For this reason, most of the ports listed here do not need to be opened at the Mac OS X firewall.
  4. Some router-specific features or configurations may interfere with iChat. This includes port mapping on either end, SIP rewriting, SIP dropping, or dynamic opening of media ports.
  5. For firewall issues specific to file transfer, see "iChat: Cannot Send or Receive a File When Firewall Is Active".
  6. The SNATMAP service on port 5678 is used to determine the external Internet address of hosts so that connections between iChat users can properly function behind network address translation (NAT). The SNATMAP service simply communicates to clients the Internet address that connected to it. This service runs on an Apple server, but does not send personal information to Apple. When certain iChat features are used, this service will be contacted. Blocking this service may cause issues with iChat connections with hosts on networks that use NAT.
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.
Last Modified: Jun 25, 2012
  • Last Modified: Jun 25, 2012
  • Article: HT1507
  • Views:


Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked