I came across this today on a Mac gaming mail list. The author is Wade Williams a Systems Engineer at Cisco Systems. I’m going to assume that makes him an authority on the matter 
Reproduced without permission (it was on a public email list :)) [quote] From: ******@mac.com
Subject: Re: Getting UDP through NAT/firewalls/whatever for a game.
Date: January 8, 2004 5:38:27 PM EST
-
Client logs in with TCP connection to pass username/password, etc. Client also tells server what port to send an unsolicited UDP packet on.
-
Server tries unsolicited UDP connection. If it works, it uses that for this client.
-
If client does not receive unsolicited UDP packet in a specified amount of time, it starts sending UDP messages to the server (in essence, a UDP “ping”) in order to allow the now solicited messages from the server to return. As someone suggested, one every 15 seconds or so would probably work fine.
-
If after sending the UDP messages to the client, the server is unable to get an acknowledgment from the client that its UDP messages are being received, the server begins sending over the TCP connection.
Now, with all that said, the code to send the UDP ping doesn’t really add any significant overhead, so you’re probably better off by simplifying things and leaving out steps 1 and 2, since they’re unlikely to work in a large number of scenarios.
Note that if there’s any way possible, you should provide the ability to fall back to TCP only. This will work a lot better than you think. It works great for our multiplayer flight sim. UDP should be used if possible, but you’ll be surprised at how well TCP works.
Wade
[/quote]
“solicited UDP” being defined as a process where the client repeatedly sends UDP packets to the server (above it says 1 every 15 seconds) so that the NAT/firewall keeps a mapping between the client and the port it uses on the other side.
Many of you are likely aware of this technique, but I figured I would post it for newbies. I probably should put it on the Wiki, but first I post it here for comments.