OK, here is the ULTIMATE firewall hell (or, at least, worse than any other configs I've heard of). I have drilled port 6346 all the way through so that my machine (and other machines on my local network) can expose 6346 without firewall constraints. I thought I'd share my experiences.

I'm behind three levels of "firewalls":
1 - A VoIP Gateway (D-Link DVG-1220M)
2 - A LinkSys BEFSX-41 Broadband Router
3 - A Linux Server/Firewall (SuSE 9.3)

This is my home network, so I'm sysadm on all this gear. Here are the particulars (the technique should work on any other hardware assuming it can be configured in a similar fashion).

First, here is my network configuration (some addressesses have been changed for security):
whew. OK, the trick is to pass port 6346 to ALL of the PCs on the home network (actually, there are five of them). When I say "pass port 6346" I mean that LW doesn't detect a firewall and ShieldsUp reports the port as OPEN from the end client (which is NOT the same as some other probe tools which only look at the PublicIP:6348, which will only detect if the port is open on the FIRST device at the edge of the network).

The first device is my VoIP router. Cake. Browse to it (my model defaults to 192.168.15.1). Simply configure port forwarding to send 6346 to the WAN address of the next device (the BroadBand Rouer). For my model, that's in Configure_Lan_Port -> NAT_Configuration -> Virtual_Server_Configuration. I configure both TCP/UDP to forward 6346-6346 to 192.168.15.100 port 6346-6346.

OK, now the packets are getting to the BroadBand router. Configure the BroadBand router in the same general manner as the VoIP router - ie, port forward 6346 to the WAN address if the next device (the Linux Server). Since the BB router is "sandwitched" between devices, it should have static (and private) IP addresses for BOTH the WAN (Internet) and LAN (Netork) sides. For my device, I go to Basic_Setup and configure the WAN (Internet) as a Static address, 192.168.15.100, netmask 255.255.255.0, GateWay 192.168.15.1 (the LAN address of the upstream device). I set the LAN (Local IP) address to a different network (private) network, 10.168.1.1. Then go to the "Port Forwarding" section (which, in newer firmware, is called "Applications & Gaming") and configure 6346-6346 TCP/UDP to forward to the WAN address (same port #) of the next device (the Linux Server).

The Linux Server is configurd for IP Masquerading (with two NICS - eth0 and eth1, and two IP addresses, one for the LAN side (my home network) and one for the WAN side). I configure (using YaST, since I'm on SuSE) it to masquerade inbound packets on port 6346 from the server's WAN address to the server's own LAN address. That makes the port available to the Linux server itself, as well as all downstream clients that use this server as their gateway (ie, all of my home PCs). Now, this is a "real" firewall, which means it filters inbound AND outbound traffic, so I need to also define reciprocal rules to allow 6346 from the server's LAN to the server's WAN (or some folks configure the firewall to allow ALL outbound traffic from the trusted network, but that's stupid, IMHO).

Since LimeWire doesn't see a firewall, there's no need to configure any firewall settings. It doesn't matter what you do in this section (you can leave it on the UPnP default, which is a laugh - AS IF a well-configured ipfilter firewall is gonna let the client tell it what to do!)

And, volla - it works.

Cheers!