Using iChat with a firewall or NAT router

How to use iChat with a firewall or NAT router in Mac OS X v10.4 or earlier.

This article has been archived and is no longer updated by Apple.

When using iChat with NAT routers and firewalls with Mac OS X v10.4 or earlier, certain ports must be open to allow video and audio conferencing behind a firewall. Some devices have these ports open by default, while others require configuration.

Note: This article lists all ports used by iChat, not just those used by audio/visual content. A list of individual port functions can be found in "'Well known' TCP and UDP ports used by Apple software products."

Network Address Translation (NAT)

Some Internet service providers (ISPs) and home networking routers use a technology called network address translation (NAT) to share an Internet connection. Though this often interferes with video and audio connections in other conferencing applications, iChat uses an innovative approach to establish a direct audio and video connection even on networks that use NAT. In fact, iChat works fine with many popular household routers in their out-of-box configurations.

About firewalls

Frequently used by corporations and educational institutions for increased security, firewalls work by blocking certain Internet traffic from entering or leaving a network. Mac OS X also includes a personal firewall that you can enable in Sharing preferences of System Preferences.

Internet traffic moves through a firewall based on service identification numbers that are known as ports. Certain ports must be open for iChat to work. Network administrators typically open a minimal amount of network ports, allowing the traffic for approved applications to enter and leave the network while blocking other network traffic.

iChat uses a range of ports for different purposes. When conferencing, ports 16384 to 16403 are used to send, receive, and optimize AV streams. For a single conference, 4 ports from that range of 20 are utilized to send and receive audio and video. Additionally, port 5060 is used for signaling and initiation of AV chat invitations, and 5678 is used for SNATMAP, for a total of 22 ports open. Ports used for other purposes, such as Bonjour and file transfer, are listed in the next two sections.

Tip: Traffic that goes through ports may be subdivided into different types, including TCP and UDP. iChat uses both of these, but mainly UDP. Advanced users can find more information on this in the Notes section below.

Ports to open for Mac OS X firewall

Note: The built-in Mac OS X firewall from Mac OS X v10.5 or later will not interfere with iChat. There is no need to open specific ports.

For Mac OS X v10.4 or earlier: When using the built-in Mac OS X firewall, you only need to open these ports: 5060, 5190, 5297, 5298, 5678, 16384 through 16403. If using Jabber in Mac OS X v10.4, open 5220, 5222, 5223 as well.

Tip: If you don't want to bother, a workaround is to temporarily turn off the firewall on each computer.

To chat with the Mac OS X firewall active in Mac OS X v10.4 or earlier, follow these steps to add the necessary ports:

  1. From the Apple menu, choose System Preferences.
  2. Click Sharing.
  3. Click the Firewall tab.
  4. Click New.
  5. From the Port Name pop-up menu, choose Other.
  6. In Mac OS X 10.3.9 or earlier, in the Port Number, Range or Series field, type in the following, then go to step 7:

    5060, 5190, 5297, 5298, 5678, 16384-16403

    In Mac OS X 10.4 or later, in the TCP Port Numbers field, type (you can omit 5220, 5222, 5223 if you don't use Jabber):
    5190, 5220, 5222, 5223, 5298

    In the UDP Port Numbers field type:
    5060, 5190, 5297, 5298, 5353, 5678, 16384-16403
  7. In the Description field type in: iChat
  8. Click OK.

Ports to open for third-party firewall

If you use a third-party firewall, be sure to open these ports:

5060, 5190, 5297, 5298, 5353, 5678, and 16384 through 16403.

If that does not work, you could open all ports from 1024 through 65535 (or disable the firewall temporarily).

Advanced configuration information

More complex routers and firewalls may allow you to specify criteria such as TCP/UDP, incoming/outgoing packets, or source/destination ports. In that case you can use the following tables. Configuration A is less secure than Configuration B, but it works with a wider range of router configurations.

Configuration A

Outgoing Packets

Internal Source Port

External Destination Port

5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678, 16384-16403


Incoming Packets

External Source Port

Internal Destination Port


5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678, 16384-16403

Configuration B

Outgoing Packets

Internal Source Port

External Destination Port

5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 16384-16403

5060, 5190, 5297, 5298, 5353, 5678 16384-16403

Incoming Packets

External Source Port

Internal Destination Port

5060, 5190, 5220, 5222, 5223, 5297, 5298, 5353, 5678 16384-16403

5060, 5190, 5297, 5298, 5353, 16384-16403

Learn more


  1. All iChat traffic is UDP except for ports 5190 and 5298, which need to be open for both TCP and UDP; and 5220 and 5222 and 5223, which need to be open for TCP only.
  2. Ports 5297, 5298, and 5353 are used only for local traffic. Opening these ports may be necessary for firewall software that runs on a computer, rather than on a router. These ports do not need to be open at your uplink to the Internet.
  3. The Mac OS X firewall found in the Sharing preference pane filters only TCP packets in Mac OS X 10.3.9 or earlier. For this reason, most of the ports listed here do not need to be opened at the Mac OS X firewall.
  4. Some router-specific features or configurations may interfere with iChat. This includes port mapping on either end, SIP rewriting, SIP dropping, or dynamic opening of media ports.
  5. For firewall issues specific to file transfer, see "iChat: Cannot Send or Receive a File When Firewall Is Active".
  6. The SNATMAP service on port 5678 is used to determine the external Internet address of hosts so that connections between iChat users can properly function behind network address translation (NAT). The SNATMAP service simply communicates to clients the Internet address that connected to it. This service runs on an Apple server, but does not send personal information to Apple. When certain iChat features are used, this service will be contacted. Blocking this service may cause issues with iChat connections with hosts on networks that use NAT.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: