Disabling Firewalls - Important General Guidance

Hi all,

In some Support and general discussion topics you may read advice to switch off the device’s firewall.

I’d like to clarify that this advice should not be followed blindly, and users should always consider their own system’s setup and understand the implications. Leaving the firewall disabled may leave the system vulnerable to malicious attack.

Typically, the advice to disable, is purely as a temporary troubleshooting step, just to rule out if the firewall / firewall rules are blocking Roon network traffic or not. After the test the firewall should re-enabled.

Why is it suggested … if disabling the firewall:

• Has no effect on Roon then the issue lies elsewhere.
• Has a positive effect Roon the firewall rules should be scrutinised and adjusted as per Roon’s Help Centre Page …

When is it ok to have the OS firewall disabled

In some circumstances it’s perfectly fine to permanently disable the OS’s native firewall.
Typically, this is for system’s that are running an alternative firewall (on the device) and thus the default OS firewall is now redundant and might even have undesirable interactions.

Arguably similar could be said when the firewall is on a dedicated network device (e.g. the router). though personally I would always ensure that the computer devices (Windows/macOS/Linux) are running their own firewalls as an additional line of defence.

Operating System Upgrades and Firewalls

After an OS version upgrade the native firewall settings may be reset or adjusted (it shouldn’t happen, but we know it does).

• A previously disabled firewall may become action again.
• Firewall rules may be lost or deactivated.

Thus, if encountering difficulty with Roon following an OS update, it’s definitely a suspect area to investigate. If you’re not so familiar with firewalls, then often the simplest way to resolve is to manually reinstall Roon on the device as this will update the firewall rules.

This is of course general information, there will always be specific cases and caveats, but I hope this helps.

I’ll end on this … If in any doubt please seek advice … there a whole wealth of experience on this board.

@Carl much appreciated advice!

Might be worth pointing out that on macOS the firewall is off by default and this is OK because a default macOS installation has no servers running and doesn’t listen to any connections.

This remains the case for most macOS users, too. If the user installs any server apps that accept outside connections, then they may need/want to configure the firewall accordingly.

Windows, on the other hand, does have default services that listen to outside connections, and therefore the firewall is enabled by default and should stay that way (except for testing as outlined in the opening post).

If that’s true, then macOS is not secure by default. If one expects the user to do the right thing, it’s almost guaranteed it won’t happen. Windows leaned this lesson the hard way, as it’s been the preferred target of attacks.

I don’t want to go there. Clearly the macOS record is better and to a large part this is because they don’t install insecure services that listen by default like the imbeciles at Microsoft. Anyone going out of their way to install a web server should know what they are doing.

Anyway, I was just stating the facts to avoid people losing their mind if they find their macOS firewall being off by default.

Whatever the reasons for maOS’s record, it’s no thanks to having the firewall disabled by default, so there’s no point in apologizing for it.

I didn’t apologize for it

BTW most Linux distros have the firewall off by default, too, for the same reason.

That’s even worse for an open-source OS that is frequently used as a server.

(Offtopic)

This is a thread about the importance of firewall in the context of Roon, which runs on Linux (and I suspect the vast majority of Roon servers runs on desktops). I think it’s on topic.

As Roon runs on an OS, the facts for the importance of firewall in the context of Roon are:

• On Windows, the firewall is on by default and it should very much be on. Therefore, if running Roon Server, exceptions must be configured.
• On macOS, the firewall is off by default. Therefore, if running Roon Server, exceptions don’t have to be configured in the default configuration. If the user enables the firewall (necessity of which varies), exceptions must be added.
• On Linux: The firewall default depends on the distribution. If firewall is up, it needs exceptions.

Everything else is IMHO philosophy and not helpful here.

On top of the fact that your average Mac user is not only enabling services that allow outside connections, they are also quite likely to be behind a NAT/firewall to begin with. I don’t know too many people who hardwire their Mac (or Windows PC) directly into a cable or fiber modem with a public IP address.

For crying out loud, if turning off a computer’s internal firewall created such incredible holes, we wouldn’t see so many people struggling with ARC and port forwarding…

When they are home, yes. People do travel with laptops though, so the OS should be secure by default, Roon or not Roon.

Well, turning off firewall is creating a hole for sure. Isn’t this what the OP is warning about? I don’t understand the part about port forwarding though. That’s something that needs to be configured in the router, regardless of the firewall.

And as @Suedkiez mentioned, macOS is “secure by default” even with its firewall off. Lots has been written about this, such as MacOS Firewall Needed or Unnecessary? - Information Security Stack Exchange

Likewise, much already written about this, e.g.:

It’s true that NAT is a de facto firewall, but that’s not what we’re talking about here. Besides, there’s UPnP to mess it up.