|
Who's There? Firewall Advisor
User's Guide
Troubleshooting
|
|
As a general troubleshooting aid, enable DoorStop X's logging
for allowed and denied accesses. Log file entries may give useful
troubleshooting clues.
I installed and activated DoorStop X, and now no one can access
any services on the machine.
- By default, all services are initially protected from any access.
Using methods described in Protecting a Service, you must specify access to a service before it will be accessible.
(12, Configuring a Personal Firewall)
I installed and activated DoorStop X, and now no one can access
a particular service on the machine.
- If the service has an entry in the services list of the Setup
window, confirm that the entry allows access to the service from
one or more clients. (12, Configuring a Personal Firewall)
- If the service does not have an entry in the services list of
the Setup window, either create an entry for the service or make
sure the "All others" service entry allows access to the service
from the desired clients. (12, Configuring a Personal Firewall)
- Check to make sure that the service itself is configured to allow
access. For example, if no one can access File Sharing, make sure
that File Sharing itself is enabled.
I installed and activated DoorStop X, and now a particular user
cannot access a particular service on the machine.
- If the service has an entry in the services list of the Setup
window, make sure that it allows access from the particular user's
IP address. (12, Configuring a Personal Firewall)
- If the service does not have an entry in the services list of
the Setup window, either create an entry for the service or make
sure the "All others" service entry allows access from the user's
IP address. (12, Configuring a Personal Firewall)
- Check to make sure that the service itself is configured to allow
access by the user. For example, if no one can access File Sharing,
make sure that File Sharing itself is enabled.
I installed and activated DoorStop X, but all accesses to the
machine are being allowed.
- Be sure DoorStop is enabled, as indicated in DoorStop's Setup
window. (12, Configuring a Personal Firewall)
- Be sure the accesses are being made over TCP, not another protocol.
(6, Protocols)
- There may be a third-party firewall running, or you may need to
uninstall such a firewall. Be sure you have both turned off and
uninstalled any third-party firewall you installed previously.
In particular, if you previously installed the Norton Personal
Firewall, see http://www.opendoor.com/doorstop/NPF.html.
I installed and activated DoorStop X, but all accesses to a particular
service are being allowed.
- If the service has an entry in DoorStop's services list, check
its permissions. (12, Configuring a Personal Firewall)
- If the service does not have an entry in the services list of
the Setup window, check the permissions in the "All others" service
entry. (12, Configuring a Personal Firewall)
- Be sure accesses to that server are being made over TCP (or UDP
if you've enabled UDP protection, and the UDP port range includes
the service's port), not another protocol. Contact the server's
manufacturer to be sure. (6, Protocols)
With DoorStop X active, I'm having problems with a particular
application.
- Most network applications' documentation will have a section on
how to use that application with a firewall. Also take a look
at Configuration Tips.
I've installed and configured DoorStop X, but I'm getting unpredictable
results.
- There may be a third-party firewall running, or you may need to
uninstall such a firewall. Be sure you have both turned off and
uninstalled any third-party firewall you installed previously.
In particular, if you previously installed the Norton Personal
Firewall, see http://www.opendoor.com/doorstop/NPF.html.
DoorStop X warns me that another firewall is running, but I can't
find one.
- Check that OS X's built-in firewall (12, Mac OS X's Built-in Firewall) is not running. If it is, turn it off.
- Check for third-party firewalls on your machine. If there are
any, turn them off and then uninstall them.
- Some applications and services install their own firewall rules,
making it look like there's another firewall running. Such applications
and services include Virtual PC, Internet Sharing and Tiger Server.
In these cases, you may need to ignore DoorStop's warning.
iTunes, iPhoto or another application claims a firewall is blocking
a port it needs, but DoorStop X is configured to allow access
to that port.
- Certain applications incorrectly look at the status of the Mac
OS X built-in firewall (in the Sharing Preference pane) to determine
if a port they need is blocked. The message is erroneous.
- The system thinks the built-in firewall is still on. To turn it
off, you need to first turn off DoorStop X, then turn off the
built-in firewall, then re-enable DoorStop X. You should no longer
see the erroneous error message.
With DoorStop X active, I'm having problems downloading files
from a Web site.
OR
With DoorStop X active, I'm having problems with Symantec's LiveUpdate
(or other online utilities).
- The problem may have to do with FTP (File Transfer Protocol),
a protocol commonly used for transferring files. Be sure you've
selected PASV mode in the Network pane of System Preferences.
Alternately, you can disable DoorStop temporarily. DoorStop only
needs to be off for the file transfer to begin; if you are downloading
several files at once, DoorStop must be off until the last file
starts downloading. For details, see Configuration Tips.
My Macintosh is still answering pings.
- By default, DoorStop allows access to pings. Unless you have a
specific reason to block pings, and understand the consequences,
you should not block them. See Stealth mode for further details. (12, Configuring a Personal Firewall)
I configured DoorStop X to log access attempts, but it doesn't
work.
- Confirm that the right checkboxes have been checked in the Logging
pane of DoorStop's Preferences dialog.
- Make sure you're looking in the right location for the log file:
/Library/Preferences/WhosThere.log. For further details on logging,
see Logging.
- Be sure that access attempts are getting through to the machine
on which DoorStop is running (for instance by accessing a service
on that machine).
- There may be a third-party firewall running, or you may need to
uninstall such a firewall. Be sure you have both turned off and
uninstalled any third-party firewall you installed previously.
In particular, if you previously installed the Norton Personal
Firewall, see http://www.opendoor.com/doorstop/NPF.html.
- See the next troubleshooting item below.
When I run DoorStop X, I get an error message "DoorStop X cannot
set up your Macintosh for logging. The firewall can operate, but
firewall logging may not take place or appear in the correct file."
- This error occurs if DoorStop X is unable to open the file /etc/syslog.conf.
Using the Finder's "Go -> Go to folder..." menu item, go to directory
/etc, select the file syslog.conf, and use the Finder's "File
-> Get Info..." command. If the file is locked, unlock it. Also
confirm that syslog.conf is owned by "system" (Read & Write),
belongs to group "wheel" (Read only), and has permission "Read
only" for "Others".
DoorStop X seems to log some access attempts, but not all.
- Check the Logging pane of DoorStop's Preferences dialog to be
sure DoorStop is configured to log the kinds of access attempts
want (denied, allowed, or both).
- When your machine receives a large number of access attempts in
a short period, DoorStop will eliminate some duplicate lines (same
date, time, ipfw rule, client IP address, and service) from the
log file.
I quit the DoorStop X application, but DoorStop is still operational.
- Access to services is controlled by the built-in firewall technology
of Mac OS X ("ipfw"), and is not affected by launching or quitting
the DoorStop application. To turn off access control, use the
Stop/Start button at the top of DoorStop's Setup window.
I enabled UDP protection and now I can't access the Web or my
email. (6, Protocols)
- You have probably affected a low-level service that your Mac needs
to perform day-to-day Internet operations. Possibilities include:
- DHCP. Check the Network System Preferences window to see if your
Mac is configured to get its IP address using DHCP. If so, you
need to have a service entry to allow access to DHCP (UDP ports
67 and 68). If, when you enabled UDP protection, you chose to
have DoorStop add filters for common UDP services, DoorStop should
have created an unprotected service entry for DHCP; otherwise,
you'll need to create such an entry manually, and edit that service entry to allow the DHCP server to access your machine. Use the DHCP
server's IP address, as shown in the log file, or as displayed
by Who's There? Firewall Advisor.
- DNS. Just about any outgoing Internet operation requires DNS,
which converts host names like www.opendoor.com to IP addresses.
Check to make sure that you are not blocking the dynamic ports
used by DNS (usually ports 32768 or higher).
I enabled UDP protection and now the Date & Time pane of System
Preferences gets an error trying to talk to the Time Server. (6, Protocols)
- You need to have a service entry to allow access to Date & Time
(UDP port 123). If, when you enabled UDP protection, you chose
to have DoorStop add filters for common UDP services, DoorStop
should have created an unprotected service entry for Date & Time;
otherwise, you'll need to create such an emery manually, and edit that service entry to allow the time server to access your machine. Use the time
server's IP address, as shown in the log file, or as displayed
by Who's There? Firewall Advisor. Note that the technical term for Date & Time is Network Time
Protocol (NTP).
I enabled UDP protection and the log file now has many more entries.
(6, Protocols)
- Since UDP is a connectionless protocol, DoorStop protects services by potentially blocking every packet
destined for those services. It also logs each such packet if
configured to do so. You may wish to disable logging of allowed
accesses, or all UDP logging, to minimize the amount of information
logged.
I want to define access for a service, but I don't know the port
number the service uses. (6, Port Numbers)
- If a service is not in the Service Information dialog list, try
checking the "Include server ports" check box. Also, if the service
is UDP based, turn on UDP protection through the Preferences dialog,
- Check Open Door's port number list.
It's very hard to interpret DoorStop X's log file. (13, Introduction)
- Firewall log files are, by their very nature, hard to read. Log
lines are terse, and there are often a lot of them. Special applications,
such as Open Door's Who's There? Firewall Advisor can help make sense of firewall log files, by sorting and summarizing
data, making it easier to see patterns in access attempts that
may point to attempted security violations. Who's There? 2.0 and
later is integrated with DoorStop X through DoorStop's Log menu.
Free 30-day evaluation copies of Who's There? are available.
I'm having problems with an application that uses ipv6. (6, Protocols)
OR
Users on other machines can't contact my machine using ipv6.
- Since ipv6 is so rarely used, DoorStop blocks all access attempts
made using ipv6.
I'm trying to add a custom icon to a service, but it won't paste.
- Custom icons work only with custom services that DoorStop does
nor otherwise know about. That is, the service is not in the list
of default protected services, and it's not in the Service Information
list.
- If you have already pasted in a custom icon and are trying to
paste in another, you need to delete the first icon and then add
the second.
I've added a custom icon to a service, but Who's There? isn't
displaying it.
- Be sure you are using version 2.0 or later of Who's There?
- You need to quit and restart Who's There? after adding a custom
icon to DoorStop.
When I try using the Log commands to have Who's There? display
log information, nothing happens
OR
The Log commands do not appear in the Log menu.
- Be sure you have only one copy of Who's There? on your drive or
any mounted drives, and that the one copy is version 1.1 or later.
From the Log menu I request a summary for a particular service
(or IP address), but when Who's There? displays its "Summary by
..." window, nothing is displayed for the service (or IP address)
I requested.
- There are no lines in the current log file containing the service
(or IP address) you requested.
Back to Table of Contents
Back to Advanced Topics
Forward to Appendices