DoorStop X User's Guide - Configuration Tips

Who's There? Firewall Advisor
User's Guide

Configuration Tips

This chapter discusses the protection of some commonly used network services, in addition to the built-in protection -- often configurable via the Sharing Preferences pane -- afforded by each service. Since each section refers to DoorStop X's Setup window, a screen shot is included here:

Figure 1. The DoorStop X Setup window

Personal File Sharing (8, Personal File Sharing)

Personal File Sharing allows you to share files on your Macintosh with other users on your intranet, or on the Internet. To enable File Sharing, go to the Sharing pane of System Preferences, click the Services tab, and check the box next to Personal File Sharing. Users on other machines will be able to log into File Sharing on your Macintosh, using account names and passwords defined in the Accounts pane of System Preferences. For protection beyond that of user names and passwords, go to DoorStop's Setup window, choose Personal File Sharing (port 548) from the list of protected services, and configure that entry to allow access from only those machines that need it. For example, if you wanted to allow access from other users on your local network, but not from the Internet, you could choose "Allow access from only addresses in list" and then make an address entry for your local subnet.

iApps and OS X's built-in firewall (9; 12, OS X's Built-in Firewall)

If you're going to use any of Apple's i-applications (iChat, iTunes or iPhoto) in conjunction with any firewall other than OS X's built-in firewall, you should first disable the built-in firewall, to avoid possible false warnings about needed ports being blocked. This applies to any third-party firewall, not just DoorStop. To turn off the built-in firewall, first disable DoorStop, then go to the Firewall tab of the Sharing Preferences pane, and confirm that the firewall is off. Then restart DoorStop.

Configuring DoorStop X for iChat (9, iChat)

iChat is an extremely useful and popular application used for instant communication with other users, either on your local network, or on the Internet. iChat allows you to communicate via text, voice or video, and to transfer files. When communicating with users on the Internet, iChat talks to an AIM (AOL Instant Messaging) server, which in turn relays your data to the distant user. When communicating with users on your local network, you can use OS X's Bonjour (called "Bonjour" in OS X 10.4.x and "Rendezvous" in OS X 10.3.x) service location protocol to detect iChat-enabled machines on your network, and then communicate directly with those machines. For local communication, Bonjour is preferred, since your data is not exposed to the risks of the Internet.

Using iChat with AIM -- for communicating with users not on your local network -- you don't need to configure DoorStop (as long as you don't block high-numbered UDP ports).

Using iChat Bonjour, first you will need to confirm that Bonjour messaging is enabled:

Panther (10.3.x) - Go to iChat's preferences, click Accounts, choose the account you wish to use with Bonjour (Rendezvous), and make sure that "Enable local Rendezvous messaging" is checked.
Tiger (10.4.x) - Go to iChat's preferences, click Accounts, and confirm that the account "Bonjour" has a checkmark next to it. If not, click the account name.

Second, you will need to configure DoorStop:

Text communication - Allow access from machines on your local network to:
- iChat Bonjour (TCP port 5298), listed in DoorStop's Setup window
- Bonjour (UDP port 5353), listed in DoorStop's Setup window
Voice - Allow access from machines on your local network to:
- iChat Bonjour (TCP port 5298), listed in DoorStop's Setup window
- Bonjour (UDP port 5353), listed in DoorStop's Setup window
- iChat (SIP) (UDP port 5060), listed in DoorStop's Service Information window
- iChat (UDP ports 16384 - 16403), listed in DoorStop's Service Information window
File transfer - Allow access from machines on your local network to:
- iChat Bonjour (TCP port 5298), listed in DoorStop's Setup window
- Bonjour (UDP port 5353), listed in DoorStop's Setup window

UDP ports only need to be configured if DoorStop is set to protect UDP.

Configuring DoorStop X for iTunes (9, iTunes)

Although iTunes is primarily an application for downloading, cataloging and playing music, it also has the (optional) ability to share music with other machines on your local network.

If you wish to prevent access from all machines on your network to iTunes on your machine, you should ensure that sharing in iTunes preferences (Figure 2) is disabled, and then confirm that DoorStop is set to deny access to iTunes from all IP addresses (this is DoorStop's default setting for iTunes).

If you wish to allow access from one or more machines on your network you must enable sharing in iTunes and then configure DoorStop to allow access to only those machines.

Figure 2. iTunes sharing preferences

To enable or disable the sharing of your music, check or uncheck the "Share my music" checkbox. If you check the "Share my music" checkbox, also check the "Require password" checkbox and enter a password. To configure DoorStop to allow access to one or more users, run the DoorStop application and, in the service list of the Setup window (Figure 1), select "iTunes Music Sharing/Port 3689". Next, on the right side of the Setup window, choose the desired protection, as described in Protecting a service.

Configuring DoorStop X for iPhoto (9, iPhoto)

iPhoto is similar to iTunes in that it is not primarily a networking application, but does have some optional local networking capabilities. As with iTunes, unless you want to actually share photos, you should not enable iPhoto's sharing capability, and should leave DoorStop's protection for iPhoto in its default state -- deny all.

Figure 3. iPhoto sharing preferences

If you wish to share your photos with other users on your local network, check or uncheck the "Share my photos" checkbox in iPhoto's sharing preferences (Figure 3). If you check the "Share my photos" checkbox, also check the "Require password" checkbox and enter a password. To configure DoorStop to allow access to one or more users, run the DoorStop application and, in the service list of the Setup window (Figure 1), select "iPhoto Photo Sharing/Port 8770". Next, on the right side of the Setup window, choose the desired protection, as described in Protecting a service.

Configuring DoorStop X for Internet Sharing (8, Internet Sharing)

Mac OS X includes Internet Sharing, the ability of a Macintosh to share its Internet connection with other computers. Say, for example, that your Mac at home is connected to a cable modem, and that you wish to share that Internet connection with a wireless Mac in your home. Go to the Sharing preferences pane and click Internet to see the pane shown in Figure 4. Making the selections shown in Figure 4 will share the wired Internet connection of your machine with other computers via AirPort.

Figure 4. Internet Sharing preferences

To use Internet Sharing with a firewall running on your machine, however, requires a few more steps. Note that this pertains to any firewall, not just DoorStop. If client machines sharing your Internet connection wish to access the Web, you must enable your firewall to allow access to Web Sharing. You do not need to enable Web sharing on your machine, just access to Web Sharing's port (80) in the firewall on your machine. Likewise, if a client machine wishes to read and send email, you must enable the firewall on your machine to allow access to POP (Post Office Protocol) and SMTP (Simple Mail Transfer Protocol), for receiving and sending mail, respectively. For maximum security, allow access to these ports only from the shared network range (e.g. 192.168.2.0 - 192.168.2.255). Some of the services that clients use may be in DoorStop's built-in services, and other may need to be defined by you. Protecting built-in services is covered in Protecting Basic Services, while protecting user-defined services is covered in Protecting User-defined Services.

FTP clients (14, What is FTP?)

You should be able to connect to many FTP servers without configuring DoorStop. Some FTP clients or servers, however, may use a feature of the protocol which works by having the FTP server open a TCP connection back to your machine and then use that connection as a "data port", to get data from your machine. The problem is that a) the port number used for the data port is usually picked more or less at random, and b) the FTP server must have access to the data port it decides to open on your machine. There are a number of options for enabling such access:

Use "passive mode" FTP, which does not require the use of a data port. The easiest way to specify passive mode is to go to the Network pane of System Preferences, click the Proxies tab, and check the "Use Passive FTP Mode (PASV)" checkbox. Also, some FTP applications allow you to specify passive mode.
OR
Stop DoorStop temporarily. DoorStop only needs to be off for a file transfer to begin; if you are downloading several files at once, DoorStop must be off until the last file starts downloading. You can restart DoorStop once the transfer of the last file has begun.
OR
In the "All others" service entry, allow access from the FTP server machine (use the IP address from the log file, or as displayed by Who's There? Firewall Advisor).
OR
If your FTP client application allows you to specify the data port to use, specify a port and then create a service entry for that port, which allows access from the FTP server machine.

Back to Table of Contents
Back to User-defined Services
Forward to Accessing Internet Security for Your Macintosh