You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Changed
Set-RouterSshPortProxyFirewall scopes its inbound 2222 allow by
source range (-RemoteAddress, default 172.16.0.0/12 - the range
WSL2's NAT allocates from) instead of by -InterfaceAlias. An
interface scope pins the rule to the WSL adapter's interface GUID,
which WSL regenerates across wsl --shutdown / host reboots,
stranding the rule so WSL's SSH to the router drops until a
re-provision. Range scoping has no interface GUID to go stale, so the
rule survives reboots of long-lived VMs with no re-provision, while
still keeping the router's password-auth SSH off the physical LAN and
the Internal-switch subnet (neither sits in 172.16/12). The rule is
refreshed (delete + re-add) each run, which also migrates an older
interface-pinned rule.
Added
Set-RouterSshPortProxyFirewall -WslNatRange to narrow the allowed
source range on hosts that also live on a 172.16/12 network.
Removed
The 0.5.0 Hyper-V Firewall rule (New-NetFirewallHyperVRule).
WSL-to-host traffic is outbound from the WSL VM
(DefaultOutboundAction = Allow), so the Hyper-V Firewall never gated
it - the host's Defender rule was always the control. A leftover VmProvisioner-WSL-RouterSshPortproxy-* Hyper-V rule from a host that
installed 0.5.0 is inert and removable with Remove-NetFirewallHyperVRule.