Why do some apps need to be explicitly allowed on a firewall and others not?
Solution 1:
It depends largely on whether the program needs to receive connections.
Web browsers transmit data through the firewall with a unique identifier and the remote server responds back with that same identifier. The firewall allows that data to come back in without issue because the identifiers match. On the outgoing packet a temporary port is opened on the firewall and packets with the correct identifier sent to that same port have a known destination and "trusted" reason to be there.
Bittorrent programs and other servers on the other hand do not send a packet out first, instead they wait on connections from the Internet. Their ports are neither temporary nor are there any unique identifiers exchanged from the bittorrent client to establish whether the traffic is "intentional" and temporary.
As a result for programs expecting incoming connections you have to specifically open ports on the firewall and hold them open.