Leopard firewall vs iChat over Bonjour

jwbaxter (apparently) - 09:43am Nov 19, 2007 PST
via email

Since updating to Leopard, I have been unable to use iChat over
Bonjour to connect TO Leopard machines (including connecting between
the two Leopard machines on the LAN. Either machine can connect to
the remaining Tiger machine. (Which is good enough with respect to
that machine: I just have to remember to create a session on the
Leopard machine so that I can transmit the bit of data from the Tiger
machine. This was true in 10.5.0 and remains so in 10.5.1.

Today I started looking into the matter. Part of the problem is the
inherited ipfw firewall on my Mini (the Mini was upgraded to Leopard
via Erase and Install plus Migration Assistant), and had an ipfw
firewall built using Flying Buttress while it was running Tiger.

However, the Macbook had no ipfw firewall beyond the seemingly always
present rule
   65535 all ip from any to any
which doesn't block "much".

On the Macbook, the incoming Bonjour iChat connections were being
blocked by the Application firewall. The machine was set to "Set
access for specific services and applications" and both iChat and
iChatAgent were in the list of apps and services and set to Allow.
(That is also true on the Mini, but the ipfw firewall makes it moot.)

I was able to make iChat connections over Bonjour to the Macbook by
temporarily setting the firewall to "Allow all incoming connections".
I don't mind doing that when I'm behind a NAT router and connected
only to machines I control. So now I can make all the connections I
need.

I'm close to concluding that the right way--for those with sufficient
skill--to manage the Leopard firewall is to set it to "Allow all
incoming connections" and use WaterRoof <http://www.hanynet.com/waterroof/
 > to build a suitable ipfw firewall.

   --John