As a general troubleshooting aid, enable DoorStop X's logging for allowed and denied accesses. Log file entries may give useful troubleshooting clues.

I installed and activated DoorStop X, and now no one can access any services on the machine.

• By default, all services are initially protected from any access. Using methods described in Protecting a Service, you must specify access to a service before it will be accessible. (12, Configuring a Personal Firewall)
• Creating a new Location reverts DoorStop's protection settings to this default state. Either again specify services to be protected, or choose another Location.
• The "built-in firewall" could be on and blocking all access. Disable it using the Security System Preferences pane.

I installed and activated DoorStop X, and now no one can access a particular service on the machine.

• If the service has an entry in the services list of the Setup window, confirm that the entry allows access to the service from one or more clients. (12, Configuring a Personal Firewall)
• If the service does not have an entry in the services list of the Setup window, either create an entry for the service or make sure the "All others" service entry allows access to the service from the desired clients. (12, Configuring a Personal Firewall)
• Check to make sure that the service itself is configured to allow access. For example, if no one can access File Sharing, make sure that File Sharing itself is enabled.
• The "built-in firewall" could be on and blocking access to that service. Disable it using the Security System Preferences pane.

I installed and activated DoorStop X, and now a particular user cannot access a particular service on the machine.

• If the service has an entry in the services list of the Setup window, make sure that it allows access from the particular user's IP address. (12, Configuring a Personal Firewall)
• If the service does not have an entry in the services list of the Setup window, either create an entry for the service or make sure the "All others" service entry allows access from the user's IP address. (12, Configuring a Personal Firewall)
• Check to make sure that the service itself is configured to allow access by the user. For example, if no one can access File Sharing, make sure that File Sharing itself is enabled.

I installed and activated DoorStop X, but all accesses to the machine are being allowed.

• Be sure DoorStop is enabled, as indicated in DoorStop's Setup window. (12, Configuring a Personal Firewall)
• Be sure the accesses are being made over TCP, not another protocol. (6, Protocols)
• There may be a third-party firewall running, or you may need to uninstall such a firewall. Be sure you have both turned off and uninstalled any third-party firewall you installed previously. In particular, if you previously installed the Norton Personal Firewall, see http://www.opendoor.com/doorstop/NPF.html.

I installed and activated DoorStop X, but all accesses to a particular service are being allowed.

• If the service has an entry in DoorStop's services list, check its permissions. (12, Configuring a Personal Firewall)
• If the service does not have an entry in the services list of the Setup window, check the permissions in the "All others" service entry. (12, Configuring a Personal Firewall)
• Be sure accesses to that service are being made over TCP (or UDP if you've enabled UDP protection, with the service's port explicitly specified), not another protocol. Contact the server's manufacturer to be sure. (6, Protocols)
• Be sure accesses to that server are not being made using IPv6 if you've changed DoorStop to not disable IPv6.

On Lion, if I log out as one user and log in as another, I end up with different protection than I expect.
OR
On Lion, when I run DoorStop as different users, I see different configurations in the setup window.
OR
On Lion, I run the DoorStop application as a new user and it starts anew with the Setup Assistant and its default configuration.

• Running the DoorStop app as more than one user on Lion is not recommended. See this caveat.

I installed and activated DoorStop X, but accesses to iChat screen sharing are still being allowed.

• iChat screen sharing uses UDP rather than TCP. Use the Advanced pane of Preferences to protect UDP and then add the iChat UDP entry to the services list.

With DoorStop X active, I'm having problems with a particular application.

• Most network applications' documentation will have a section on how to use that application with a firewall. Also take a look at Configuration Tips.
• Be sure the application does not require IPv6 in any way.
• iChat audio, video and screen sharing use UDP and the same set of UDP ports. Protecting one of these services protects all of them. If you're protecting UDP, try allowing access to the iChat (UDP) service for the IP address of the machine you're trying to communicate with.
• iChat Bonjour services (that is, services using iChat between two machines on your local network) do not use the port previously allocated for those services. They use a dynamically determined high-numbered port, which changes each time iChat is run. To allow access to these services, you need to look at DoorStop's log file (on the machine you are attempting to access after an access attempt) to determine exactly what that port is, and then allow access to it.

I've installed and configured DoorStop X, but I'm getting unpredictable results.

• There may be a third-party firewall running, or you may need to uninstall such a firewall. Be sure you have both turned off and uninstalled any third-party firewall you installed previously. In particular, if you previously installed the Norton Personal Firewall, see http://www.opendoor.com/doorstop/NPF.html.
• The "built-in firewall" could be on and blocking some accesses. Disable it using the Security System Preferences pane.
• If you run the DoorStop app as more than one user on Lion, you can end up with unexpected results. See this caveat.

DoorStop X warns me that another firewall is running, but I can't find one.

• Check that OS X's built-in firewall (12, Mac OS X's Built-in Firewall) is not running. If it is, turn it off.
• Check for third-party firewalls on your machine. If there are any, turn them off and then uninstall them.
• Some applications and services install their own firewall rules, making it look like there's another firewall running. Such applications and services include Virtual PC, Internet Sharing and Mac OS X Server. In these cases, you may need to ignore DoorStop's warning.

iTunes, iPhoto or another application claims a firewall is blocking a port it needs, but DoorStop X is configured to allow access to that port.

• Certain applications incorrectly look at the status of the Mac OS X built-in firewall (in the Sharing Preference pane) to determine if a port they need is blocked. The message is erroneous.
• The system thinks the built-in firewall is still on. To turn it off, you need to first turn off DoorStop X, then turn off the built-in firewall, then re-enable DoorStop X. You should no longer see the erroneous error message.

With DoorStop X active, I'm having problems downloading files from a Web site.

OR

With DoorStop X active, I'm having problems with Symantec's LiveUpdate (or other online utilities).

• The problem may have to do with FTP (File Transfer Protocol), a protocol commonly used for transferring files. Be sure you've selected PASV mode in the Network pane of System Preferences. Alternately, you can disable DoorStop temporarily. DoorStop only needs to be off for the file transfer to begin; if you are downloading several files at once, DoorStop must be off until the last file starts downloading. For details, see Configuration Tips.

My Macintosh is still answering pings.

• By default, DoorStop allows access to pings. Unless you have a specific reason to block pings, and understand the consequences, you should not block them. See Stealth mode for further details. (12, Configuring a Personal Firewall)

I configured DoorStop X to log access attempts, but it doesn't work.

• Confirm that the right checkboxes have been checked in the Logging pane of DoorStop's Preferences dialog.
• Make sure you're looking in the right location for the log file: /Library/Preferences/WhosThere.log. For further details on logging, see Logging.
• Be sure that access attempts are getting through to the machine on which DoorStop is running (for instance by accessing a service on that machine).
• There may be a third-party firewall running, or you may need to uninstall such a firewall. Be sure you have both turned off and uninstalled any third-party firewall you installed previously. In particular, if you previously installed the Norton Personal Firewall, see http://www.opendoor.com/doorstop/NPF.html.
• Be sure you have not turned off logging for the particular service that you're trying to see log entries for (see service-specific logging).
• If you enabled the built-in firewall and that firewall has logging enabled, it could have overridden DoorStop's logging. Be sure that firewall is off, and re-run the DoorStop X application.
• See the next troubleshooting items below.

When I run DoorStop X, I get an error message "DoorStop X cannot set up your Macintosh for logging. The firewall can operate, but firewall logging may not take place or appear in the correct file."

• This error occurs if DoorStop X is unable to open the file /etc/syslog.conf. Using the Finder's "Go -> Go to folder..." menu item, go to directory /etc, select the file syslog.conf, and use the Finder's "File -> Get Info..." command. If the file is locked, unlock it. Also confirm that syslog.conf is owned by "system" (Read & Write), belongs to group "wheel" (Read only), and has permission "Read only" for "Others".

DoorStop X seems to log some access attempts, but not all.

• Check the Logging pane of DoorStop's Preferences dialog to be sure DoorStop is configured to log the kinds of access attempts wanted (denied, allowed, or both).
• Check the Advanced pane of Preferences to make sure you have enabled UDP logging if desired. Even if so, DoorStop will, in most cases, only log UDP packets to UDP ports 1-1023 and those explicitly specified in the protected services list.
• When your machine receives a large number of access attempts in a short period, DoorStop will eliminate some duplicate lines (same date, time, ipfw rule, client IP address, and service) from the log file.
• Be sure you have not turned off logging for the particular services that you're trying to see log entries for (see service-specific logging)

I set the log to archive every day/week/month, or after it reaches a certain size, but it doesn't seem to be doing so.

• Archiving occurs at 3am, so be sure your machine is on at that time. If your machine is not on, archiving will take place the next 3am at which it is. See the section on log archiving.
• Be sure you are checking the right folder (/Library/Preferences/Open Door Networks) for the archived log file.

I quit the DoorStop X application, but DoorStop is still operational.

• Access to services is controlled by the built-in firewall technology of Mac OS X ("ipfw"), and is not affected by launching or quitting the DoorStop application. To turn off access control, use the Stop/Start button at the top of DoorStop's Setup window.

UDP protection is enabled and now I can't access the Web or my email. (6, Protocols)

• You have probably affected a low-level service that your Mac needs to perform day-to-day Internet operations. Possibilities include:
  • DHCP. Check the Network System Preferences window to see if your Mac is configured to get its IP address using DHCP. If so, you need to have a service entry to allow access to DHCP (UDP ports 67 and 68). If, when you enabled UDP protection, you chose to have DoorStop add an entry for system internal services, DoorStop should have created an unprotected service entry that includes DHCP; otherwise, you'll need to create such an entry manually, and edit that service entry to allow the DHCP server to access your machine. Use the DHCP server's IP address, as shown in the log file, or as displayed by Who's There? Firewall Advisor.
  • DNS. Just about any outgoing Internet operation requires DNS, which converts host names like www.opendoor.com to IP addresses. Check to make sure that you are not blocking the dynamic ports used by DNS (usually ports 32768 or higher).

UDP protection is enabled and now the Date & Time pane of System Preferences gets an error trying to talk to the Time Server. (6, Protocols)

• You need to have a service entry to allow access to Date & Time (UDP port 123). If, when you enabled UDP protection, you chose to have DoorStop add an entry for system internal services, DoorStop should have created an unprotected service entry that includes Date & Time; otherwise, you'll need to create such an entry manually, and edit that service entry to allow the time server to access your machine. Use the time server's IP address, as shown in the log file, or as displayed by Who's There? Firewall Advisor. Note that the technical term for Date & Time is Network Time Protocol (NTP).

UDP protection is enabled and the log file now has many more entries. (6, Protocols)

• Since UDP is a connectionless protocol, DoorStop protects services by potentially blocking every packet destined for those services. It also logs each such packet if configured to do so. You may wish to disable logging of allowed accesses, or all UDP logging, to minimize the amount of information logged.

I want to define access for a service, but I don't know the port number the service uses. (6, Port Numbers)

• If a service is not in the Service Information dialog list, try checking the "Include server ports" check box. Also, if the service is UDP based, turn on UDP protection through the Preferences dialog,
• Check Open Door's port number list.
• Access the service and then use the port number for the access entry as shown in the log file, or as displayed by Who's There? Firewall Advisor.

It's very hard to interpret DoorStop X's log file. (13, Introduction)

• Firewall log files are, by their very nature, hard to read. Log lines are terse, and there are often a lot of them. Special applications, such as Open Door's Who's There? Firewall Advisor can help make sense of firewall log files, by sorting and summarizing data, making it easier to see patterns in access attempts that may point to attempted security violations. Who's There? 2.0 and later is integrated with DoorStop X through DoorStop's Log menu. Free 30-day evaluation copies of Who's There? are available.

I'm having problems with an application that uses IPv6. (6, Protocols)
OR
Users on other machines can't contact my machine using IPv6.

• Since IPv6 is so rarely used, and can introduce security vulnerabilities, DoorStop disables it by default. You can re-enable it as indicated in the section on IPv6.
• After telling DoorStop not to disable IPv6, you also need to use the Network System Preferences dialog to enable IPv6 on the network connections where you want to use it.

I'm trying to add a custom icon to a service, but it won't paste.

• Custom icons work only with custom services that DoorStop does nor otherwise know about. That is, the service is not in the list of default protected services, and it's not in the Service Information list.
• If you have already pasted in a custom icon and are trying to paste in another, you need to delete the first icon and then add the second.

I've added a custom icon to a service, but Who's There? isn't displaying it.

• Be sure you are using version 2.0 or later of Who's There?
• You need to quit and restart Who's There? after adding a custom icon to DoorStop.

When I try using the Log commands to have Who's There? display log information, nothing happens
OR
The Log commands do not appear in the Log menu.

• Be sure you have only one copy of Who's There? on your drive or any mounted drives, and that the one copy is version 1.1 or later.

From the Log menu I request a summary for a particular service (or IP address), but when Who's There? displays its "Summary by ..." window, nothing is displayed for the service (or IP address) I requested.

• There are no lines in the current log file containing the service (or IP address) you requested.
• Be sure you have only one copy of Who's There? on your drive or any mounted drives, and that the one copy is version 1.1 or later.

The new Location I created blocks access to everthing; I want it to act pretty much the same as my original Location.

• A new Location will always be set with DoorStop's original protection list, which blocks access to all TCP services. You can duplicate a previous Location if you want to create a new one based on it. See the section on Locations.

I cannot access the book's blog, Twitter stream or Top 10 list.

• You must have Internet access to be able to search and access the blog or list, or access Twitter.
• Perhaps the blog's Web site is too busy, or temporarily inaccessible. Try again a bit later.

Searching the blog returns results that don't match what I'm expecting.

• The search takes advantage of Google technology to provide a highly advanced lookup of your search terms in the blog. In some cases, some of the results returned may not directly match what you're expecting.
• The search also may return related information from the Web itself which is not necessarily part of the blog.

I am blocking Screen Sharing using DoorStop X, but someone can still control my screen using iChat.

• iChat's Screen Sharing feature is different from the one based on Apple Remote Desktop, activated through Sharing System Preferences and accessible through the Finder. iChat Screen Sharing is implemented utilizing UDP and servers at Apple, and thus there is no incoming TCP connection attempt for DoorStop X to block.
• Blocking iChat UDP ports (through the "iChat a/v and screen sharing (UDP)" entry) will block iChat Screen Sharing, although it also prevents iChat audio and video from working.
• It may be simpler just to disable iChat Screen Sharing using iChat.

I am blocking Screen Sharing and/or File Sharing using DoorStop X, but access is still allowed through "Back to My Mac."

• "Back to My Mac" does not use the standard ports to allow access to these services. To block its access, you must block UDP port 4500.

I want to block all access to all services on my Mac, but there's an unblocked entry for "System internal services."

• To block iChat's screen sharing service, it's necessary to enable UDP protection. The unblocked entry is necessary when UDP protection is enabled, otherwise you will not be able to communicate on the Internet in many situations. You can remove this entry if you'd like, but you should only do so if you understand the consequences.

Back to Table of Contents
Back to Advanced Topics
Forward to Appendices