I might enable firewall on my Ubuntu desktop where my Roon server is installed. The instructions for Linux install mention firewall settings.
But they are referred to a somewhat cryptic for me post:
Can anyone please post the commands that would enable broadcast rules in Ubuntu’s firewall? I think I know how to open ports but I don’t know what to do with the broadcast/multicast rules. I think Ubuntu uses some “simple firewall” by default, not iptables.
If you’re using UFW, the following commands will get you halfway there…
sudo ufw allow proto udp to any port 9003 from 192.168.1.0/24
sudo ufw allow proto tcp from any to any port 9100:9200
…but discovery will fail with the firewall up. Therefore, it’s necessary to manually add iptables to UFW (it’s an iptables frontend) by manually editing some config files. This is where the second post comes in.
It’s something like:
sudo nano /etc/uwf/before.rules
# IGMP
-A ufw-before-input -m pkttype —pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype —pkt-type broadcast -j ACCEPT
You’ll need to reload UFW after making the changes.
PS. Additional rules are needed for ARC.
Thank you!
Is it just the port I needed to open in my router for ARC? Like this?
sudo ufw allow proto tcp from any to any port "myport_number"
By the way, in your rules why is the first rule from a subnet but the second rule is from “any”? I suppose they can be equal. I’d prefer “from any”. The server is behind the NAT anyway.
No, more like this since it’s incoming.
sudo ufw allow <port number>/tcp
Discovery of what? I never did this and my remotes and audio devices all work fine.
Is your firewall activated? It is on by default in Ubuntu server but off by default in Ubuntu desktop.
Aren’t 9003 and 9100-9200 incoming either? If not why open them?
roon@roon-vmpc:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
Roon core discovers the endpoints.
The first allows incoming from specific port and UDP only.
The second allows connections from a subnet.
I did not understand what you meant here. There are 3 items.
And
All of them are incoming. OK, the first one allows connections only from a subnet. But the second has “from any” and the third has no mention of “from”. Can you briefly describe why the second and third line are different?
Why the second line couldn’t be like this?
sudo ufw allow 9100:9200/tcp
Or the third line couldn’t be like this?
sudo ufw allow proto tcp from any to any port <port number>
I am an old dog trying to learn new tricks and install arc which the systen currently can’f find/ access at port 55000. Thanks to the community for your support, I just moved my Roon server to a dedicated mini pc i5-1235u w 16 G ram. my router home address is 192.168.68.1, but when I try to set up mu ufw rules it defaults back to 196.168.68.0. I am using he excellent work done by Alex , **
[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30010/tcp
2. Activate UFW application profile for Roon
sudo ufw allow from 192.168.1.0/24 to any app roon <<< I changed to 192.168.68.1/24
3. Update IGMP rules for proper Roon-Endpoint discovery
sudo nano /etc/ufw/before.rules
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type broadcast -j ACCEPT
Also make sure that the following rule is set:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
Thank you for any insights you may have an forgive me if I posted incorrectly
192.168.68.1/24 (192.168.1.0/24) should be 192.168.68.0/24 (or the ip address of your Roon server), assuming that your home router is using 192.168.68.1/24.
192.168.68.1/24 is the ip address of your home router, 192.168.68.0/24 is your network address. I don’t see the ip address of your Roon server mentioned. It should be somewhere in the 192.168.68.1-192.168.68.254 range, but not the same ip address as any other device in your network (i.e. 192.168.68.1, your home router).
This ufw rule allows tcp/udp ports outbound, but 55000/tcp should be inbound.
I think this has to be changed to:
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30010/tcp|55000/tcp
But I’m no ufw expert. I suspect the [Roon] application profile settings in /etc/ufw/applications.d/roon don’t specify inbound/outbound.
I expect if you change this line to sudo ufw allow app roon tcp/udp ports will be opened inbound and outbound.
You’ll need to open TCP port 55000 to allow Roon ARC:
sudo ufw allow 55000/tcp comment 'Open Roon ARC tcp port 55000'
That’s probably a better option 
Gentlemen, thanks for your help. ARC lives!
I’m needing some help on this - I don’t know what i’m doing in the terminal to execute the correct rules ? Is there a start to finish template to get it working ? I tried copying the above but it says directory does not exist
sorry in advance I was forced over to linux by windows 11 upgrades
What hardware and Ubuntu version are you running Roon on, and is it solely used for Roon? Likewise, what router are you using, and do you intend using ARC with port forwarding or Tailscale?
desktop pc , linux mint , not solely roon (office computer , daily driver ) , if i switch the firewall off everything works but i would feel much safer having the firewall active and correct rules setup . Arc i would just go port forwarding route.
router is just a basic ip issued router from a provider her in New Zealand.
Personally, I only run the firewall on my daily driver when outside my home network since I am happy with my perimeter security, and the hardening I’ve done on my machines.
However, if you want an extra layer of security then you’ll need to execute the commands you referenced in your OP plus another further down the thread for ARC.
If you’re running UFW, and we’re unable to create the before rules, then you’ll have to create the folder first, e.g., sudo mkdir -p /etc/uwf.
If you’re still running into difficulty, please post output from the terminal.