Add "allow" rule to Windows firewall for WSL2 network

[throwable-one]

I was trying to connect to Windows machine from Linux and found that it is blocked by default.

WSL virtual NIC connection belongs to "Public" profile and almost all connections are forbidden.

As workaround, I added following rule explicitly:

PS C:\WINDOWS\system32> $myIp = (Ubuntu1804 run "cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2")
PS C:\WINDOWS\system32> $myIp
172.21.0.1
PS C:\WINDOWS\system32>  New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -LocalAddress $myIp -Action Allow

Workaround works. But it would be great to have this rule enabled by default.

[throwable-one]

How to repro.

On Windows, listen to some port

PS C:\WINDOWS\system32> $Listener = [System.Net.Sockets.TcpListener]80;
PS C:\WINDOWS\system32> $Listener.Start();
PS C:\WINDOWS\system32> $Listener.AcceptSocket();

On WSL2, try to connect to it:
$ telnet $(cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2) 80

You would not be able to connect until you create appropriate firewall rule

[therealkenc]

#4139

[dansanduleac]

Nice!
Since the IP might change every time you restart your computer, why not use the inteface?

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

[eromoe]

@dansanduleac This allow ping, but how can I access some port on windows , without shutdown the firewall ?

[Dicridon]

Nice!
Since the IP might change every time you restart your computer, why not use the inteface?

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

Thank you so much, I searched for about two hours to make WSL2 launch a graphic Emacs, and this command enabled the use of Emacs GUI, many thanks!

[CyberQin]

@dansanduleac This allow ping, but how can I access some port on windows , without shutdown the firewall ?

try add new inbound rule for these ports?

[dansanduleac]

@eromoe @HQDragon The command I posted should allow you to access anything exposed by Windows from WSL, no matter what port, however bear in mind that any apps you've launched get an automated rule created for them when you first launch them, blocking access from public networks (this is when you get a prompt from Windows Firewall, asking whether the app should be allowed to accept connections from public networks). If you don't explicitly allow, they will be blocked by default, which also blocks connections from WSL. So you might need to find that inbound rule, and change it from block to allow (or just delete it).

More info here (linked from this comment on the original issue #4139 (comment))

[chaoky]

Nice!
Since the IP might change every time you restart your computer, why not use the inteface?

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

this should be in the docs

[yakaboskic]

In case this helps anyone: I was trying to setup a new laptop that I just bought and nothing here worked. That's when I realized the Windows machine I just bought had a McAfee Firewall on it (free one year subscription). So all the windows firewall stuff wasn't actually working cause it wasn't the active Firewall (McAfee was) and they have known compatibility issues with WSL/WSL2. Once I uninstalled the McAfee firewall (you could also just disable it), everything here worked except the telnet stuff. For some reason that still didn't work, but I was able to connect to my X servers no problem, which is probably why most of us were here.

[brucejo75]

If you are trying to connect to a mongodb follow @dansanduleac advice.

Mongo installs rules MongoDB Database Server on windows that disallow public connections to mongodb. To be able to access from WSL these need to be disabled.

That is 6 hours I won't get back! I hope you are saved that time.

[balexandre]

this is still extremely unreliable,
sometimes works, sometimes it does not, other times only works until you shut down the computer 😢

I've

• restored all Firewall rules
• added the WSL rule as WSL by interface as
  New-NetFirewallRule -DisplayName "WSL by interface" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow
• tested without restarting
• tested after restarting
• also tried having all Firewalls disabled (Domain, Private and Public) - and restart after change

I can't reach the localhost:8989 from the Windows side and as Ubuntu-20.04 under WSL2 does not have any browser, it's hard to develop in these conditions 😔

---

• machine info:

Edition	Windows 10 Pro
Version		20H2
Installed on	‎25-‎06-‎2020
OS build	19042.928
Experience	Windows Feature Experience Pack 120.2212.551.0

• image below has Ubuntu on the left side and PowerShell on the right side of Windows Terminal 1.7.1033.0, both showing the output of curl http://localhost:8989

Does anyone know some reliable trick that I can use to develop web interfaces under WSL2?

[ahillikerMDSOL]

Does anyone know some reliable trick that I can use to develop web interfaces under WSL2?

You can hit the IP address that Ubuntu is using if you're using the same machine (ifconfig from WSL2 terminal will give you this address) - is that what you mean?

What I'm running into is trying to hit that IP from a wifi connected device like a phone or something.

I'm definitely in over my head here, but was hoping changing the -InterfaceAlias to 'vWan' or something would do the trick, but a) I don't know where to find the correct term for that alias, and b) I don't know if that's even how it works - maybe WSL interprets incoming wifi requests through the vEthernet adapter?

[celowsky]

I'm still having this issue as well when trying to debug my application from within the WSL using Intellij's Pycharm

[stopal]

@eromoe @HQDragon The command I posted should allow you to access anything exposed by Windows from WSL, no matter what port, however bear in mind that any apps you've launched get an automated rule created for them when you first launch them, blocking access from public networks (this is when you get a prompt from Windows Firewall, asking whether the app should be allowed to accept connections from public networks). If you don't explicitly allow, they will be blocked by default, which also blocks connections from WSL. So you might need to find that inbound rule, and change it from block to allow (or just delete it).

More info here (linked from this comment on the original issue #4139 (comment))

Thank you so much for that hint! I was about to give up. Setting up the specific IP Range for the "Remote IP Adresses" has done the trick for me. -> #4139 (comment)

[diegolikescode]

Sometimes I have problems with the WSL network, but this always do the trick: Get-Service LxssManager | Restart-Service this just reboots the WSL, and I can access "localhost:4321" normally again, I have to run this every time I start Windows.

[davelet]

I resolved it as this thread: #4139 (comment)

[mcicat]

Thank You! This solved an issue I've been facing for over a month. For some reason after updating to Windows 11, fetching repositories by VSCode (which was started from WSL) was unbearably slow. This solved it!

[marriagav]

Does anyone know how to do this for an outbound rule? I´ve tried just changing the direction to no success

[MrPointer]

Does anyone know how to do this for an outbound rule? I´ve tried just changing the direction to no success

@marriagav Very naively, I tried this:
New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

And it worked for me! This is the only thing that has worked in fact, among tons of others that I've tried 😄

[merajhasan88]

I tried all of the above as well as this thread: [https://github.com//issues/4139] to no avail. Windows 21H2

Just trying to use GTK-3 on VSCode with a WSL2 Ubuntu terminal. Using VcXsrv running in background.
I run this command on a small Hello World code:
gcc pkg-config --cflags gtk+-3.0 -o gui hello.c pkg-config --libs gtk+-3.0
and it gives a 'gui' object. I run:
./gui
and it says:

Unable to init server: Could not connect: Connection refused

(gui:32): Gtk-WARNING **: 10:51:06.383: cannot open display:

I installed xfce4 but that doesnt work too. Upon running this:
xfce4-session
I get this:

Unable to init server: Could not connect: Connection refused
xfce4-session: Cannot open display: .
Type 'xfce4-session --help' for usage.

Restarted everything several times.

[kenvix]

For my instances, New-NetFirewallRule doesn't work and I don't know why. I use Set-NetFirewallProfile to directly disable firewall on WSL2 interface instead to add a rule and allow it.

#Requires -RunAsAdministrator

Set-NetFirewallProfile -Profile Private -DisabledInterfaceAliases "vEthernet (WSL)"
Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases "vEthernet (WSL)"

[pigLoveRabbit520]

win 11 failed:
netsh interface ipv4 show interfaces got

 1          75  4294967295  connected     Loopback Pseudo-Interface 1
 11          25        1500  disconnected  WLAN
  7          25        1500  connected     以太网
  8          25        1500  disconnected  本地连接* 9
  6          25        1500  disconnected  本地连接* 10
 17          65        1500  disconnected  蓝牙网络连接
 25        5000        1500  connected     vEthernet (Default Switch)
 53        5000        1500  connected     vEthernet (WSL (Hyper-V firewall))

so after I do New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL (Hyper-V firewall))" -Action Allow, I still cannot access the service on windows from wsl2.

[KeisukeeLee]

Does anyone know how to do this for an outbound rule? I´ve tried just changing the direction to no success

@marriagav Very naively, I tried this: New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

And it worked for me! This is the only thing that has worked in fact, among tons of others that I've tried 😄

I tested this. This is work for not only WSL NIC but all Interfaces.

[schmik]

Thanks, everyone. WIN11 here, Rancher Desktop with containerd.

PowerShell'ing

Get-NetAdapter -IncludeHidden | Format-Table -AutoSize

helped find the right "-InterfaceAlias"...

I ended up using

New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL (Hyper-V firewall))" -Action Allow

Now, when I have a containerized pgadmin and a containerized postgres listening on :5432...

nerdctl ps
CONTAINER ID    IMAGE                                COMMAND                   CREATED           STATUS    PORTS                     NAMES
5d0c3acb38ea    docker.io/dpage/pgadmin4:latest      "/entrypoint.sh"          14 minutes ago    Up        0.0.0.0:6543->80/tcp      pgadmin4-5d0c3
92147e941b71    docker.io/library/postgres:latest    "docker-entrypoint.s…"    17 minutes ago    Up        0.0.0.0:5432->5432/tcp    localDB

... I'm (pgadmin is) able to connect to host.docker.internal:5432 👌

[LifeJustDLC]

Because Windows randomly turns on the firewall without your acknowledge, enforce a cron job to disable it might be the only compromised solution.

# run as admin in "windows powershell"
$option = New-ScheduledJobOption -RunElevated -RequireNetwork
$atLogin = New-JobTrigger -AtLogOn -User *
$atInterval = New-JobTrigger -Once -RepeatIndefinitely -RepetitionInterval "00:10:00" -At "0am"
Register-ScheduledJob -Name "F wsl firewall" -ScheduledJobOption $option -Trigger $atLogin, $atInterval -ScriptBlock {
    Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases "vEthernet (WSL)";
}

(I know basically nothing about windows powershell, so please let me know if I'm wrong.)
Also don't forget to enable inbound rules on the "Windows" host side.

[pikouser]

For me command "New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL (Hyper-V firewall))" -Action Allow" fails with HRESULT 0x80070057. Adding this rule manually also does not change ports blockage, seems block is inside WSL. Anyway I found other solution. Just storing it here so perhaps that solves someone's time. It is already possible to run GUI apps with WSL:
https://learn.microsoft.com/en-us/windows/wsl/tutorials/gui-apps

[dante198712]

I just install WSL Ubuntu in W11 and nothing works to do anywhere, it also happened to me the same thing testing on other virtualization platforms such as Virtualbox, Docker and Hyper-V.

The easiest thing was to completely destabilize the Windows Firewall, but it did not work, additionally I have already tried a lot of tutorials related to adding Firewal Gui/Powershell rules and still totally blocked.

Very bad that it is so complicated to enable such basic functionality, formerly even in Virtualbox it was very easy to use the internet from the guest system!.

[Petros626]

I did the following, which worked for me (Windows 10 & WSL2):

1. sudo nano /etc/ssh/ssh_config
2. Under section Host* add ServerAliveInterval 5 (I guess any value is okay?)
3. sudo nano /etc/ssh/sshd_config
4. Near the end of the file search for: ClientAliveInterval 60; TCPKeepAlive yes; ClientAliveCountMax 10000
5. service ssh restart
6. ssh nameofmachine@xxx.xxx.xxx.xx

[dwymark-celestron]

These are the commands I needed to get the internet working again. Not sure which of these were necessary; posting this here for my own future reference. I'll update it if I learn more later.

New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL (Hyper-V firewall))" -Action Allow
New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vSwitch (Default Switch)" -Action Allow
wsl --shutdown

Then I restarted WSL by opening a new session in Windows Terminal.

I used the command below to find the two InterfaceAliases (thanks @schmik):

Get-NetAdapter -IncludeHidden | Format-Table -AutoSize

[dwymark-celestron]

UPDATE: I realized that there is another factor that was important in my case. For an unrelated reason, I needed to run the following commands in PowerShell:

net stop hns
net start hns

Doing this while WSL2 is running causes it to lose internet access even though DNS continues to function. I am able to get the internet access to work again by restarting WSL. (Specifically, I mean running wsl --shutdown and then opening Ubuntu in Windows Terminal.)

I am not sure if the firewall commands I mentioned in my last comment were important or not, because I also restarted WSL. It's possible that they were just a red herring (in my case).