If you have a firewall between two members of one cluster it will be difficult
The problem is that port numbers that are opened are randomly calculated.
Also you might have the multicast stuff by default for inner cluster communication.
I think the best way is to bind against a special IP and route all for this IP and MCast address through the firewall.
A helpful test, for the JGroups cluster communication, is here http://community.jboss.org/wiki/TestingJBoss
This wiki http://community.jboss.org/wiki/UsingJBossBehindAFirewall is only for the communication if the firewall is between JBoss and it's clients.
additional to the above mentioned do not forget port offsets.
offset = 100
e.g. adjustable in bindings-jboss-beans.xml
I totally agree with Wolf-Dieter to bind the adresses, but I'd rather bind all at once instead of binding the most important and common ones first and proof if that solves the problem.
your suggestion works for me....