In order to run a Jabber client behind a firewall, you will need to allow the client to connect to:
port 5222/TCP on the remote Jabber server.
This will work even if your client is chatting with users of different Jabber servers, as Jabber servers relay messages to others.
NB. Old Jabber clients connect to port 5223/TCP for encrypted connections (SSL/TLS). Newer clients will be able to start encrypted connections on the normal port 5222/TCP.)
If you are running a Jabber server, you will need to allow external machines to connect to:
port 5222/TCP on the machine hosting the Jabber server (client connections)
port 5269/TCP on the machine hosting the Jabber server (server connections)
In addition, your Jabber server will connect to:
port 5269/TCP on other Jabber servers.
NB.If your Jabber server uses 5223/TCP for encrypted connections (SSL/TLS), you will need to allow external machines to also connect to port 5223/TCP.