NodeJS Server Don't Open Port in Windows When Code Executes in WSL Environment

[carpet92]

Windows 10 Version 1607 Build 14393.969

I run simple express.js example:

var express = require('express')
var app = express()

app.get('/', function(req, res) {
	res.send('Hello World!')
})

app.listen(3000, function() {
	console.log('Example app listening on port 3000!')
})

I have "real" IP address, and if I run this code in Windows CMD then port 3000 will be opened and to my server peoples can connected from the outside.

But if I run this example in WSL then port 3000 will be closed and access to server only for me.

Maybe this fixed in future Creators Update? Or not?

[stehufntdev]

Thanks for reporting the issue! There were a number of networking issues that were fixed in the Anniversary update, but there's not enough information above to tell. Could you please collect a strace of the failing application? Also, another thing to try would be disabling your firewall.

[carpet92]

@stehufntdev website don't crashes. I don't have any messages about failing in console. The problem is that when I start the server (Node.js code above) in a WSL environment, to visit this webpage can only me because port is closed (for outside internet). If I right understand then WSL does not open port because this works like Linux Machine and don't have access to Windows network?

[carpet92]

@stehufntdev I record gif to show.

[stehufntdev]

Thanks @Zx-EvM. Yes, I understand the scenario you are describing. However, there's not enough information to determine what is happening or if it is fixed in the upcoming creators update. Can you please do two things:

1.) Collect a strace of the node command on WSL. There are directions in the contributing instructions
2.) Try temporarily disabling your firewall if it is a 3rd party firewall.

Please let me know if there's anything I can clarify.

[carpet92]

@stehufntdev now when I try to disable windows built-in firewall (I don't use third-party firewall) port is opened. But I cannot always use the disabled firewall.

I run strace node index.js command and get output https://gist.github.com/Zx-EvM/a19877508d5cf9f315158711b081dd3f

[therealkenc]

@stehufntdev - Something marginally constructive that bash.exe (or LxssManager) and WSL init could do would be on WSL instantiation, exchange a TCP 'hello world' packet in both directions (listen and send both sides) to see if networking is alive. Give the user a message to the console if it isn't. Pick whatever highport, and shut the "service" down after the exchange. Not a lot of lines of code. You don't (and will never) have complete control on what the AV people are doing behind MSFT's back, nor user's firewall configurations. But at least you can tell users they have a problem and spare these github issues.

[stehufntdev]

Thanks @therealkenc appreciate the suggestion. I agree it would be nice to have a mechanism for self triage, but opening a port on every start-up makes my spider sense tingle for security and other reasons :). All kidding aside we've been looking at improving self triage and I'll make sure this gets bubbled up to the right folks.

[stehufntdev]

@Zx-EvM do you have any Windows firewall rules that allow the Windows NodeJs code to open the port?

Adding @sunilmut to see if he has seen this previously.

[carpet92]

@stehufntdev not, I don't have any Windows firewall rules to open port. Is it necessary to do this? Now I will try. I'm used to the fact that when the server starts the port opens automatically. Is this wrong?

[carpet92]

@stehufntdev thanks. Now I create TCP rule to 3000 port and when I run server in WSL, port is opened.

[carpet92]

@stehufntdev but I have a question. Why Windows do this (open ports) automatically if this is wrong and not secure? How can I forbid it?

[therealkenc]

@stehufntdev - Yeah, while I was typing that message I figured it would make some security type's head explode. Incorrectly mind you, because of the WSL security model (which is perfectly well formed by the way). But explode nonetheless. So... do the hello world exchange with a authenticated DCE/RPC on TCP in both directions (laugh).

[sunilmut]

I am closing this issue out since it seems to be resolved. We have taken a note of your suggestion @therealkenc. Seem like a good idea. Constrained behind resource bandwidth :).

[MintyOrb]

@sunilmut This issue isn't resolved for me after updating to version 1703 build 15063.

This update is eventually forced- previously I've reverted to earlier windows versions where this issue was not present, but I suppose it makes sense to try to actually resolve it (in the meantime I can continue developing by running the node app in cmd).

Are there any workarounds for this or forthcoming fixes? Disabling the firewall/attempting to add rules for the port seems to have no effect.

C:\Users\comp>netstat -a -q | findstr "8000"
  TCP    127.0.0.1:8000         surf:0                 BOUND
  TCP    [::]:8000              surf:0                 BOUND
  TCP    [::]:8000              surf:0                 BOUND

In bash, nc -4 -l 127.0.0.1 8000 just seems to run forever.

[sunilmut]

@bornytm - Apologize for the delay. We understand how blocking this issue can be, but unfortunately, we don't have a full understanding of the root cause. And, even worse, we don't know of any workarounds. Meanwhile, I have gotten some instructions from the core networking team to gather some additional logs. Can you please help us with that?

1. Can you confirm that the Antivirus on your system was disabled during the repro?

Steps to gather logs:

1. From cmd:
   a. Enable WFP connection event auditing
   Auditpol /set /category:"Object Access" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable
2. Open event viewer (you can use Cortana search box to get there), browse to Windows Logs -> Security.
3. Filter out only the bind and listen events by right clicking on the Security and Filter Current Log -> Specify event IDs 5154,5158
4. Open bash prompt and do nc -4 -l 127.0.0.1 8000
5. Open cmd and make sure that no one is listening on the port 8000 using netstat.
6. Go back to event viewer and export the events to a log file by right clicking on security again and Save Filtered Log File As...

Share out the log file.

[MintyOrb]

Thanks a lot for providing the quick reply and background context @sunilmut! I can confirm that I had no anti-virus running (I don't currently have one installed) and I would like to help more, however I had a few things that couldn't be run via cmd so I had to revert to the previous release again (version 1607, build 14393.1066).

I hope someone else in this thread can follow your logging instructions- if I get another forced update and nobody has gotten to it I'll try it out.

[huww98]

@sunilmut I have the same problem. I have no third-party antivirus installed. And I have disabled the Windows Defender's Real-time defense and the windows firewall.

I'm using the Chinese language pack of Windows, so I change the cmd in the first step to Auditpol /set /category:"对象访问" /SubCategory:"筛选平台连接" /success:enable /failure:enable

In the 5th step, I run netstat -aqn | findstr 8000 and I get TCP 127.0.0.1:8000 0.0.0.0:0 BOUND

log.txt
I don't know why I can't upload a zip file, but this is a evtx file, I change the extension to txt to upload it to here.

edit: I have tried to unistall every network related software from my computer, like VMWare, Hyper-v, Docker, WinPcap and my vpn software. But nothing helped.

[imgwho]

the same problem on win10 1709 16299.251 sooooooooooooooooo sad

[sunilmut]

This looks like a duplicate of #1554. Take a look at this post for resolution. You can also upgrade to build 17046 or higher which has a fix for this.