Review: DoorStop Personal Firewall 2.0
Developer: Open Door Networks
Price: $59 (free for EarthLink DSL users)
Requirements: Power Mac with Mac OS 8.1 or greater.
With more personal computers being left online 24 hours a day, the desire, if not need, for a firewall of some sort is on the rise. Like NetBarrier, DoorStop offers Macintosh users protection from the network. However, the similarity ends there. With a very different user interface and a feature set that sticks to the basics, DoorStop will likely appeal to novice Mac users.
Setting up DoorStop is astoundingly simple, in part because, at least in the Basic mode, there is so little you can configure. You can allow or deny access to Web sharing, file sharing over TCP/IP (DoorStop does not protect AppleTalk, but the typical home user really doesn’t need to worry about attacks from there), or everything else. By default, access to everything is denied to everyone, so unless you are hosting Web pages or sharing files, you may not have to do any setting up at all.
Access to each of these services can be granted to the entire network (good for Web sharing) or limited to specific sites or computers. You can give DoorStop a list of IP addresses to either allow or reject, and subnets are accepted as well as individual IP addresses. DoorStop will even help you find the IP address of a site or ISP if you don’t know it, so you can add it to your Allow or Deny list. Simple, simple.
You probably have a lot of “what if I want to…” type questions in your head right now; what I’ve described above is great as far as it goes, but let’s face it, there aren’t a lot of options there. When they say Basic mode, they mean it! One quick change in the preferences to Advanced mode, and DoorStop gains a good deal more functionality while remaining drop-dead simple to configure.
When you move to Advanced mode, you gain the ability to protect other ports. DoorStop has a drop-down menu with some common ports you might want to protect, such as Retrospect Backup, FileMaker Pro database hosting, and the omnipresent Napster. If you want to control access to some other port, it’s as simple as typing in the port number. Ports in DoorStop’s dropdown menu have easily identifiable icons associated with them, making it easy to see at a glance what you’re protecting.
Advanced mode also gives you a little bit more control in specifying subnets, although you still cannot specify a range of IP addresses within a subnet, like 220.127.116.11-18.104.22.168, meaning you might have to either spend a while adding lots of individual addresses to your access list, or allow in some unwanted traffic.
You can also protect UDP ports when you’re in Advanced mode, though the manual makes it clear that this is generally unnecessary and could have undesirable side-effects. The manual tells us that UDP ports are used basically by the system, for things such as DNS lookup and NTP (setting your clock over the network). You can also choose to log UDP port access, but again, you’re unlikely to need to do that. This feature was likely added just for completeness, and DoorStop does a good job explaining it in the documentation and keeping it a separate option in Preferences, so it’s unlikely a user will accidentally cripple his network access by turning off UDP access.
Just to let you feel completely safe about your setup, DoorStop also has a Self Test feature: it can try to access your computer, through any port you select, from either your own IP address or any other one you type in. It’s hard to decide how I feel about this feature: on the one hand, it’s wholly redundant: you can get the same information the Self Test provides you by looking in your Setup window. However, it definitely confirms your feeling of security when you test your firewall and get back a message letting you know it’s working. A firewall program, especially on a personal Mac, is largely about feeling secure, and the Self Test definitely helps you to feel safe and protected.
Once DoorStop is set up, you can pretty much forget it’s there. You can ask it to inform you of allowed and/or denied accesses, but in practice I find this is unwise, as at least in my case, I’d be getting a lot of notices popping up on my screen. It would be nice if you could ask DoorStop to inform you only of allowed/rejected accesses to specific ports or services. In my case, I often have people access the FileMaker Pro port, so I don’t really want to be notified every time it happens; but on the other hand, granting access through other ports, such as File Sharing, happens more rarely and it would be nice if I could get notification when that happens.
As far as I can tell, DoorStop logs everything. Preferences allow you to have it record allowed and/or denied accesses.
The log window puts in boldface any access attempts recorded within the last fifteen minutes, so they stick out when you open the log. The log window looks just like a Finder window, and, better yet, it functions just like one, too! Click on the header of your choice, and the list sorts in that order. However you sort, the most recent access attempts stay in bold, which is a really nice touch: you can scan the list and find out about times in the past when a particular host has tried to access other ports on your machine. Double-clicking on a line opens a window which basically duplicates the information you can see in the log, but it also gives you a “Learn More…” button. Press this and your Web browser opens with information about that particular access attempt. Unfortunately, the Web page doesn’t load with iCab (this doesn’t seem to be an issue with my iCab preferences, but with as configurable a program as iCab, it’s hard to rule that out with certainty), but it works fine with Internet Explorer 5.
The log’s Internet integration is one of the greatest strengths of DoorStop. It means that you don’t have to be a networking guru to satisfy your curiosity about who is trying to access your computer.
While DoorStop is a very impressive product, it’s not without its shortcomings. Keeping in mind that it’s not a power-user type of program, but one that keeps the basic needs of the average user in mind, there are two points that really could use some improvement:
In the case of the denial of access shown above, the program’s FAQ is helpful in pointing out the problem, but it also highlights a shortcoming of DoorStop. One of the questions the FAQ addresses is, “I go to download a file and DoorStop logs an access attempt. What’s going on?” Unfortunately, DoorStop doesn’t play well with FTP. If you try to download a file using FTP when DoorStop is on, you’ll get an error from the server you try downloading from. This is because (the FAQ explains) DoorStop denies the FTP server access to a random port it attempts to access on your machine. The best DoorStop can do is offer a workaround: temporarily turn DoorStop off (a control strip menu lets you turn it off for a set amount of time). In practice, this is just a pain. Worse, I often end up turning DoorStop off permanently when I have lots of files to download, and then forgetting to turn it back on again when I’m done. Ideally, DoorStop should be completely transparent to the user.
The other shortcoming of DoorStop is that it does not protect against ping flooding. The only time I’ve encountered ping flooding has been from malicious people on IRC, so this may not be an issue for you. However, ping flooding can severely slow your network connection, so at the very least, protection against this would be a great feature to add to the next version of DoorStop.
DoorStop is a remarkably simple program. It has a single function and performs it quite well. Its user interface is great, the manual is well-written and helpful (though it’s only in HTML, so if you want a printout, it’ll be a pain), and for the most part, the program is completely transparent. There is a free ten-day trial available, and I’d encourage you to give DoorStop a shot.