-
Notifications
You must be signed in to change notification settings - Fork 823
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Defender Firewall blocks access from WSL2 #4139
Comments
I have the same issue. It would also be nice if it were possible to change the network profile of the vEthernet adapter that WSL2 creates to Private. This way, we could at least disable the firewall for private networks. I tried doing this in PowerShell, but PS claims the adapter doesn't exist (I'm using the correct alias):
|
I want to connect from WSL2 to X410. And this works currently: For xeyes demo: sudo apt install libgtk2.0-0 libxss1 libasound2
export DISPLAY=$(cat /etc/resolv.conf | grep nameserver | awk '{print $2}'):0.0
sudo apt install x11-apps -y && xeyes |
Allowing traffic for Public networks via firewall rules works as described by @faymek, But it's kind-of working on my nerves security-wise. So I tried to make the network private using the tricks mentioned here and here, but to no avail. Even after disabling and re-enabling the device (vEthernet (WSL) / Hyper-V Virtual Ethernet Adapter) the firewall still blocks it. And rebooting the host recreates the keys in the registry. I even tried protecting the keys with access permissions, but Windows can still overwrite them on reboot. |
@jovton also having the same problem. After disabling public profile vEthernet WSL rule - it works untill reboot. Tried with admin privileges also - button "apply" is simply disabled, all you can do is either "OK" or "Cancel" - which in term disabling defender rule for current session only. Is there any solution to this? Or maybe script I can run at startup to make it automatic? |
@sandric: I wrote this PS script to deal with the WSL2 IP address changing on reboot: https://github.com/paul-reilly/WSL2-Xming-Init It works with firewall active on my machine at least. |
upon reboot, I disable the firewall on the WSL2 interface with an Administrator Powershell:
this only works after I've launched the X client that is trying to talk to my VcXsrv I launch my X client (xterm) with a desktop shortcut whose "Target" is set to:
Where wslrun.sh is:
Tedious parts of this:
|
Just chiming in that it was very unintuitive to figure out that the network being created was marked public and that's why I couldn't actually access host services due to the firewall. I'd expect it to be marked private. |
This would just be a workaround and is not good. All you need to do is add an inbound firewall rule using the program name C:\Program Files\VcXsrv\vcxsrv.exe |
For the record, I added some more surgical options and documented here: https://github.com/cascadium/wsl-windows-toolbar-launcher#firewall-rules For me though the ideal solution would be for this to work: |
Just a note, the settings from the above comment work for me, but I had trouble finding them: control panel > system and security > windows defender firewall > advanced settings > inbound rules > edit the vcxvsrv rule for public networks. Also, since the hostname is in the DNS forwarder, you can do export DISPLAY=$(host $HOST | head -n1 | cut -d' ' -f4):0 to set the display |
I tried this method but it didn't work. After some searching I find that there are two block rule of "VcXsrv windows xserver" in my firewall rule list and these rules take precedence. Windows OS will add rules to your firewall when you first start VcXsrv windows xserver, and you should disable these rules manually(not remove it, or Windows OS will try to add it again when you open VcXsrv next time). |
@QingGo You just need to edit the TCP rule for "VcXsrv windows xserver" from Block to Allow, no need to disable and create a new rule. I have successfully used this approach to allow WSL 2 connect to a Postgres SQL installed on Windows. P/S: can someone enlighten me why we limit the IP range to 172.16.0.0/12 ? |
It's a standard private ip subnet range that wsl seems to rattle around: |
Hmm if you add that range, you get most home networks, and there's some chance of an attack via a compromised printer or whatever. The rule should only allow connections from the local pc. |
Because powershell allows we to modify firewall rule, so I think writing a script to update wsl 2 ip address for each inbound rules maybe a good idea, we only need to create the rules manually once and run the script after windows startup. Some thing like this: (run in admin shell) Import-Module -Name 'NetSecurity'
$wsl2Ip = wsl.exe /bin/bash -c "ip addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'"
Get-NetFirewallRule -Direction Inbound | Where-Object {
$_.DisplayName -eq "postgres.exe" `
-and ($_ | Get-NetFirewallPortFilter).Protocol -eq "TCP"
} | ForEach-Object {
Set-NetFirewallRule -Name $_.Name -RemoteAddress $wsl2Ip
} |
Related to #4150 This is the script I use, run via Task Scheduler on login, sourced from #4150 : $remoteip = wsl.exe /bin/bash -c "ip addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'"
$found = $remoteip -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';
if( !$found ){
echo "The Script Exited, the ip address of WSL 2 cannot be found";
exit;
}
#[Ports]
#All the ports you want to forward separated by comma
$ports=@(80,8080,443,10000,3000,5000);
#[Static ip]
#You can change the addr to your ip config to listen to a specific address
$addr='0.0.0.0';
$ports_a = $ports -join ",";
#Remove Firewall Exception Rules
iex "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' ";
#adding Exception Rules for inbound and outbound Rules
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Outbound -LocalPort $ports_a -Action Allow -Protocol TCP";
iex "New-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock' -Direction Inbound -RemoteAddress $remoteip -Action Allow -Protocol TCP";
for( $i = 0; $i -lt $ports.length; $i++ ){
$port = $ports[$i];
iex "netsh interface portproxy delete v4tov4 listenport=$port listenaddress=$addr";
iex "netsh interface portproxy add v4tov4 listenport=$port listenaddress=$addr connectport=$port connectaddress=$remoteip";
} |
Cross WSL 2 distro access via ports published to Windows host should work bypassing all firewalls. Am I right? In the case of Docker Desktop Kubernetes integration using HTTP port 6443 works well. Is it a firewall issue or something else, like of difference between Kubernetes and Docker proxy implementation? |
#4585 (comment) Might be helpful for solving firewall problem. |
Inlining here since this issue ended up being the landing zone. Props go to @dansanduleac
|
I've struggling to understand why this is still an issue after 3 years of being open. What the hell is going on at Microsoft? My company is now telling me that I can't use WSL2 precisely because they want to enforce a policy of not allowing Public domain firewalls to be disabled. I'm sure I'm not the only person in that boat. Can we have some kind of update please. @craigloewen-msft - Is there anybody else that could be added to this issue to get some traction? |
My missing piece was the firewall Public Profile Firewall State Inbound Connections was set to "Block all connections". After changing this to "Block (default)" adding the rules below using PowerShell as Administrator allowed WSL connections in and out.
EDIT: Note that this basically turns off the firewall for WSL - use with caution! For more granular access you can define the specific ports you want to allow in and out with the New-NetFirewallRule PowerShell cmdlet. |
Same issue here. Have to not use the block all incoming firewall setting on public networks, otherwise WSL2 is broken when accessing the internet. Microsoft: please let us designate WSL2 as private. |
Just found a workaround that seems to allow this. First, install Hyper-V Manager if necessary. This is purely to get access to the PowerShell tools it provides to manage VM switches. Run Manually assign an IP to the adapter via Control Panel, something in the 172.XX.XX.1 range, and make sure that your WSL install is on the same subnet. Run Slight disclaimer: I've literally only just discovered that this works, so haven't tested it extensively, but it seems to be able to reliably access the Internet and the host machine. EDIT: Unfortunately I've just found that it doesn't survive a reboot. Ah well. |
This is insanely dumb. Why on earth would they choose to set a PURELY INTERNAL NETWORK as "Public" on the firewall settings?? This network has the same level of trust as starbucks wifi. It should be a "Private" network BY DEFAULT. ughh |
WSL2 already supports systemd and can start the sshd service, so we can use the port forwarding function of ssh to let WSL2 access the host port.
|
Ridiculous. Going back to WSL1. Can't it talk directly to the networking devices anyway? |
WSL1 isn't a win neither.. (in terms of previously discussed DNS issues)
|
Since I just got bumped on email about this issue, I'd like to point everyone to the fact that vSwitch can now be used to directly connect WSL2 distro, officially, no hacks, using "networkingMode=bridged". You do need W11 Pro, which shouldn't be an issue. I've compiled a nice big tutorial couple of days ago as a comment in main networking thread: Likewise added it to my GitHub: I went through W10 to W11 upgrade (linked instructions for those with "unsupported" hardware), WSL2 Preview, creation of vSwitch, configuration of a bridge, and as a bonus systemd configuration on Ubuntu with complete systemd based networking setup. It should be doable for both newbies and experienced users. Btw, I can now tear up and setup new WSL2 instance with proper networking and full apt upgrades and all in less than 10 minutes, easy-peasy. |
For those of you that cannot for whatever reason install Windows 11, its now possible to run WSLg (https://github.com/microsoft/wslg) in WSL2 on Windows 10 builds that have a UBR>= 2311. So, if you are reading this issue because you are trying to run Linux GUIs in Windows using an X-11 server like VcxSrv installed in Windows, then one alternative is to use WSLg instead. This is solved all the problems I was personally having as I now do not have to disable the Defender firewall for the WSL2 connection in order to get the GUI processes in WSL2 to be able to connect to the X-11 port running in Windows. That in turn allows me to connect to my corporate VPN (which otherwise blocked dues to security policies related to firewall settings). If you don't have the .2311 build of Windows 10, then install all the latest updates from Windows Update. You need to be updated to Version 22H2. I took the advice from here - https://superuser.com/questions/1754138/running-wsl-that-was-installed-from-the-microsoft-store-results-in-windows-vers. Note if that doesn't get you to UBR 2311, then you may need the preview update https://support.microsoft.com/en-gb/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2. I actually couldn't get that via Windows Update - probably because it's a preview release, but I found I could install it manually by downloading from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5020030. Do this at your own risk though - it's a preview release. People seem to think it will be out of preview in a few months, so you might want to wait and use Windows Update. After that - I rebooted and ensured my DISPLAY env variable setting was set to :0, and WAYLAND_DISPLAY was set to wayland-0 (the required values for WSLg) and WSLg started serving my Linux GUIs!! Hope you find this helpful! |
I wasn't sure if the New-NetFirewallRule -DisplayName "WSL2toHost" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow -RemoteAddress LocalSubnet My understanding is that this will allow only traffic from the local subnet. I'm not sure if it's strictly needed though. Can anyone confirm one way or the other? |
@therealkenc This has had the status "investigation required" for 2.5 years. How is... the investigation going? Any chance this is fixable? Is WSL2 fundamentally incompatible with Windows networking? There are dozens of cross-referencing issues, this is a real problem for so many people. I believe that indicating the network as Private could resolve the issue, at least partially, if that's a possibility at all. The VM switch adapter connection profile is not exposed through WMI, so changing its profile the "normal" way, with
The second row is a Hyper-V internal switch, visible in Control Panel/Networking, but the WSL one isn't. It's interesting that both are visible in the long output of |
This one help me to to debug with PyCharm using enviroment in WSL 2 |
finally something what works also for me. yes it was need of rules for firewall... i will borrow it.. thx |
My solution: Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "cmd /c <YOUR_ABSOLUTE_PATH>\disable-wsl-public-profile.bat",0
wsl exit && powershell -Command "Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases 'vEthernet (WSL)'" |
My solution is to completely reinstall my WSL by: 1
By doing this, I assume that the WSL network interface has reconfigured. Footnotes
|
So the script from #4139 (comment) does not work on my Windows 10 Laptop. The IP address it finds in the first few lines also doesn't seem to be the IP address from WSL in an "ipconfig /all". The commands from #4139 (comment) do work, but they cause a warning in "Windows Security" (the "Restore settings" button) which the security people don't seem to like very much. Are there any other solutions to make xdebug work from WSL2 to a Windows PhpStorm without causing Windows Security warnings. |
What worked for me:
|
Hi ! Please try the latest networking features that we've added in WSL. Those should greatly improve connectivity. If the issue still remains, please reopen this issue. |
Because Windows randomly turns on the firewall without your acknowledge, enforce a cron job to disable it might be the only compromised solution. # run as admin in "windows powershell"
$option = New-ScheduledJobOption -RunElevated -RequireNetwork
$atLogin = New-JobTrigger -AtLogOn -User *
$atInterval = New-JobTrigger -Once -RepeatIndefinitely -RepetitionInterval "00:10:00" -At "0am"
Register-ScheduledJob -Name "F wsl firewall" -ScheduledJobOption $option -Trigger $atLogin, $atInterval -ScriptBlock {
Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases "vEthernet (WSL)";
} (I know basically nothing about windows powershell, so please let me know if I'm wrong.) |
Your Windows build number: 10.0.18917.1000
What you're doing and what's happening:
Trying to run X11 apps from my Ubuntu installation, which I just upgraded from WSL1 to WSL2. I've configured the X server (VcXsrv) to accept TCP connections, and I've put the IP address of the Windows host into the DISPLAY variable, but the connection times out. Digging into it, I've discovered that the vEthernet adapter is treated as an "Unidentified Network", and so it gets the Public firewall access rules (which, unsurprisingly, includes blocking port 6000). If I disable the firewall entirely, I can connect to the X server just fine. This worked under WSL1, of course.
What's wrong / what should be happening instead:
Connections from a WSL2 VM should be treated as privileged and not subject to firewall rules, probably?
Strace of the failing command, if applicable:
The text was updated successfully, but these errors were encountered: