WSL2 Is bypassing windows firewall rules.

[rjadidi920]

Windows Version

Windows 10,11

WSL Version

2

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

No response

Distro Version

No response

Other Software

No response

Repro Steps

Add a outbound blocking rule in firewall for port 22.
Use a WSL2 linux VM. SSH to a server, it doesn't get blocked by the firewall rule.

Expected Behavior

Blocking SSH of the WSL2 VMs.

Actual Behavior

Not blocking SSH connection of WSL2 VMs.

Diagnostic Logs

No response

[elsaco]

@rjadidi920 latest WSL beta release added an experimental option to firewall your WSL containers. See details at https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update. This works on Windows 11 only! Windows 10 doesn't support networkingMode=mirrored option. Blocking port 22 on host and with firewall=true set in .wslconfig seems to work. It adds a new NetFirewallHyperVRule to prevent outbound SSH connections:

PS C:\Users\elsaco> Get-NetFirewallHyperVRule -DisplayName NoSSH-Outbound

Name                  : {F17FEC1C-24F1-4E76-923E-E22AF8B67B2C}
DisplayName           : NoSSH-Outbound
Direction             : Outbound
VMCreatorId           : Any
Protocol              : TCP
LocalAddresses        : Any
LocalPorts            : Any
RemoteAddresses       : Any
RemotePorts           : 22
Action                : Block
Enabled               : True
EnforcementStatus     : OK
PolicyStoreSourceType : HostFirewallLocal
Profiles              : Any

Output when trying to connect from WSL to a local host:

PS C:\Users\elsaco> ssh tux@raspi
ssh: connect to host raspi port 22: Permission denied

This is the firewall rule on Windows side that gets mirrored to WSL side:

PS C:\Users\elsaco> Get-NetFirewallRule -DisplayName NoSSH-Outbound

Name                          : {F17FEC1C-24F1-4E76-923E-E22AF8B67B2C}
DisplayName                   : NoSSH-Outbound
Description                   : Block outbound SSH connections
DisplayGroup                  :
Group                         :
Enabled                       : True
Profile                       : Any
Platform                      : {}
Direction                     : Outbound
Action                        : Block
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : The rule was parsed successfully from the store. (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId                   :

[subvert0r]

@elsaco Is this some sort of a joke?
"Hey, we literally undermined the entire windows firewall with WSL2, but no need to panic, an insider and beta update on Windows 11 can help you with that!"

What about like 99% of enterprise Windows 10,11's out there that are using Windows firewall to block connections in their comapny/sector? Are you guys actually asking everyone to stop trusting any security feature that Microsoft has?

How can we block the WSL2 network connections entirely by default in endpoints without changing the config of WSL containers? Don't tell me we don't even have an option to entirely block WSL2 network connections..

[nlvw]

Services run inside WSL2 are not available externally to the machine that is running the wsl2 instance. The automatic port forwarding that happens only forwards/listens on localhost. The only thing that is bypassed on the windows firewall are outbound rules.

The external switch networking mode, which is not the default and requires admin privs to setup the hyper-v switch, gets its own IP from your external network and acts as a VM would so nothing new there.

The new firewall feature described above is introduced together with the mirror networking feature and the 2 look to be designed to be used together. Mirror networking changes, among a lot of other things, the behavior of the automatic port forwarding which necessitates the new firewall feature. Admittedly I think the new firewall feature should be forced on when mirror networking is used but things are too new to see all the interactions. Both are in preview/experimental for community testing and feedback.

Please have more facts before going doomsday or be more clear in what use case you are having an issue. Now while WSL2 could use some better systemwide controls (GPOs, Intune, etc..) nothing here is a security risk. WSL2 is meant for developers; not for tightly controlled workstations where every app, and outbound connection, is explicitly whitelisted.

[rjadidi920]

WSL2 is meant for developers; not for tightly controlled workstations where every app, and outbound connection, is explicitly whitelisted.

Is this how you guys do security at Microsoft?
"Hey if it's a developer, let it do whatever it wants, otherwise we would try to monitor the activity" ...
What does being a developer have to do with anything here? A company says we would only allow access to certain IPs/Servers no matter the role of the employee via the Windows Firewall, Microsoft WSL2 says not on my watch! (totally not a backdoor by the way)

[arturmorandi]

This is a sick joke from Microsoft, bypassing its own security measures. The ridiculousness increases due to the fact that the last response is from October 2023. Also, '.wslconfig' is user editable, so I'll have to inject a new config file for everyone and remove write privileges, which is archaic at least.

I will open a security incident with MS about this (P1), but most probably I'll be ignored like the others on this post were.