Please help with firewall settings on Ubuntu

I might enable firewall on my Ubuntu desktop where my Roon server is installed. The instructions for Linux install mention firewall settings.

But they are referred to a somewhat cryptic for me post:

Can anyone please post the commands that would enable broadcast rules in Ubuntu’s firewall? I think I know how to open ports but I don’t know what to do with the broadcast/multicast rules. I think Ubuntu uses some “simple firewall” by default, not iptables.

If you’re using UFW, the following commands will get you halfway there…

sudo ufw allow proto udp to any port 9003 from
sudo ufw allow proto tcp from any to any port 9100:9200

…but discovery will fail with the firewall up. Therefore, it’s necessary to manually add iptables to UFW (it’s an iptables frontend) by manually editing some config files. This is where the second post comes in.

It’s something like:

sudo nano /etc/uwf/before.rules

-A ufw-before-input -m pkttype —pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype —pkt-type broadcast -j ACCEPT

You’ll need to reload UFW after making the changes.

PS. Additional rules are needed for ARC.


Thank you!

Is it just the port I needed to open in my router for ARC? Like this?

sudo ufw allow proto tcp from any to any port "myport_number"

By the way, in your rules why is the first rule from a subnet but the second rule is from “any”? I suppose they can be equal. I’d prefer “from any”. The server is behind the NAT anyway.

No, more like this since it’s incoming.

sudo ufw allow <port number>/tcp 

Discovery of what? I never did this and my remotes and audio devices all work fine.

Is your firewall activated? It is on by default in Ubuntu server but off by default in Ubuntu desktop.

Aren’t 9003 and 9100-9200 incoming either? If not why open them?

roon@roon-vmpc:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

1 Like

Roon core discovers the endpoints.

The first allows incoming from specific port and UDP only.

The second allows connections from a subnet.

I did not understand what you meant here. There are 3 items.


All of them are incoming. OK, the first one allows connections only from a subnet. But the second has “from any” and the third has no mention of “from”. Can you briefly describe why the second and third line are different?

Why the second line couldn’t be like this?

sudo ufw allow 9100:9200/tcp

Or the third line couldn’t be like this?

sudo ufw allow proto tcp from any to any port <port number>

I am an old dog trying to learn new tricks and install arc which the systen currently can’f find/ access at port 55000. Thanks to the community for your support, I just moved my Roon server to a dedicated mini pc i5-1235u w 16 G ram. my router home address is, but when I try to set up mu ufw rules it defaults back to I am using he excellent work done by Alex , **

  1. Create application profile for Roon**
    sudo nano /etc/ufw/applications.d/roon

title=Roon Server
description=Roon Labs Core Music Server

2. Activate UFW application profile for Roon
sudo ufw allow from to any app roon <<< I changed to

3. Update IGMP rules for proper Roon-Endpoint discovery
sudo nano /etc/ufw/before.rules

IGMP (Roon) ###"

-A ufw-before-input -s -j ACCEPT
-A ufw-before-input -d -j ACCEPT
-A ufw-before-input -s -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type broadcast -j ACCEPT

Also make sure that the following rule is set:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Thank you for any insights you may have an forgive me if I posted incorrectly ( should be (or the ip address of your Roon server), assuming that your home router is using is the ip address of your home router, is your network address. I don’t see the ip address of your Roon server mentioned. It should be somewhere in the range, but not the same ip address as any other device in your network (i.e., your home router).
This ufw rule allows tcp/udp ports outbound, but 55000/tcp should be inbound.

I think this has to be changed to:

But I’m no ufw expert. I suspect the [Roon] application profile settings in /etc/ufw/applications.d/roon don’t specify inbound/outbound.

I expect if you change this line to sudo ufw allow app roon tcp/udp ports will be opened inbound and outbound.

You’ll need to open TCP port 55000 to allow Roon ARC:

sudo ufw allow 55000/tcp comment 'Open Roon ARC tcp port 55000'
1 Like

That’s probably a better option :wink:

1 Like

Gentlemen, thanks for your help. ARC lives!