Please help with firewall settings on Ubuntu

G_P · January 1, 2023, 9:19pm

I might enable firewall on my Ubuntu desktop where my Roon server is installed. The instructions for Linux install mention firewall settings.

But they are referred to a somewhat cryptic for me post:

Can anyone please post the commands that would enable broadcast rules in Ubuntu’s firewall? I think I know how to open ports but I don’t know what to do with the broadcast/multicast rules. I think Ubuntu uses some “simple firewall” by default, not iptables.

Martin_Webster · January 1, 2023, 11:03pm

If you’re using UFW, the following commands will get you halfway there…

sudo ufw allow proto udp to any port 9003 from 192.168.1.0/24
sudo ufw allow proto tcp from any to any port 9100:9200

…but discovery will fail with the firewall up. Therefore, it’s necessary to manually add iptables to UFW (it’s an iptables frontend) by manually editing some config files. This is where the second post comes in.

It’s something like:

sudo nano /etc/uwf/before.rules

# IGMP
-A ufw-before-input -m pkttype —pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype —pkt-type broadcast -j ACCEPT

You’ll need to reload UFW after making the changes.

PS. Additional rules are needed for ARC.

G_P · January 1, 2023, 11:57pm

Thank you!

Is it just the port I needed to open in my router for ARC? Like this?

sudo ufw allow proto tcp from any to any port "myport_number"

By the way, in your rules why is the first rule from a subnet but the second rule is from “any”? I suppose they can be equal. I’d prefer “from any”. The server is behind the NAT anyway.

Martin_Webster · January 2, 2023, 12:06am

No, more like this since it’s incoming.

sudo ufw allow <port number>/tcp

glc650 · January 2, 2023, 1:16am

Discovery of what? I never did this and my remotes and audio devices all work fine.

G_P · January 2, 2023, 3:54am

Is your firewall activated? It is on by default in Ubuntu server but off by default in Ubuntu desktop.

G_P · January 2, 2023, 3:56am

Aren’t 9003 and 9100-9200 incoming either? If not why open them?

glc650 · January 2, 2023, 4:13am

roon@roon-vmpc:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

Martin_Webster · January 2, 2023, 10:22am

Roon core discovers the endpoints.

Martin_Webster · January 2, 2023, 10:36am

The first allows incoming from specific port and UDP only.

The second allows connections from a subnet.

G_P · January 3, 2023, 5:40am

I did not understand what you meant here. There are 3 items.

And

All of them are incoming. OK, the first one allows connections only from a subnet. But the second has “from any” and the third has no mention of “from”. Can you briefly describe why the second and third line are different?

Why the second line couldn’t be like this?

sudo ufw allow 9100:9200/tcp

Or the third line couldn’t be like this?

sudo ufw allow proto tcp from any to any port <port number>

Eric_Bennett · February 8, 2023, 2:29am

I am an old dog trying to learn new tricks and install arc which the systen currently can’f find/ access at port 55000. Thanks to the community for your support, I just moved my Roon server to a dedicated mini pc i5-1235u w 16 G ram. my router home address is 192.168.68.1, but when I try to set up mu ufw rules it defaults back to 196.168.68.0. I am using he excellent work done by Alex , **

Create application profile for Roon**
sudo nano /etc/ufw/applications.d/roon

[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30010/tcp

2. Activate UFW application profile for Roon
sudo ufw allow from 192.168.1.0/24 to any app roon <<< I changed to 192.168.68.1/24

3. Update IGMP rules for proper Roon-Endpoint discovery
sudo nano /etc/ufw/before.rules

IGMP (Roon) ###"

-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type broadcast -j ACCEPT

Also make sure that the following rule is set:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Thank you for any insights you may have an forgive me if I posted incorrectly

Dennis_Mutsaers · February 8, 2023, 5:59am

192.168.68.1/24 (192.168.1.0/24) should be 192.168.68.0/24 (or the ip address of your Roon server), assuming that your home router is using 192.168.68.1/24.
192.168.68.1/24 is the ip address of your home router, 192.168.68.0/24 is your network address. I don’t see the ip address of your Roon server mentioned. It should be somewhere in the 192.168.68.1-192.168.68.254 range, but not the same ip address as any other device in your network (i.e. 192.168.68.1, your home router).
This ufw rule allows tcp/udp ports outbound, but 55000/tcp should be inbound.

I think this has to be changed to:
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30010/tcp|55000/tcp

But I’m no ufw expert. I suspect the [Roon] application profile settings in /etc/ufw/applications.d/roon don’t specify inbound/outbound.

I expect if you change this line to sudo ufw allow app roon tcp/udp ports will be opened inbound and outbound.

Martin_Webster · February 8, 2023, 10:23am

You’ll need to open TCP port 55000 to allow Roon ARC:

sudo ufw allow 55000/tcp comment 'Open Roon ARC tcp port 55000'

Dennis_Mutsaers · February 8, 2023, 3:02pm

That’s probably a better option

Eric_Bennett · February 8, 2023, 8:05pm

Gentlemen, thanks for your help. ARC lives!