New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No internet with 3rd party AV/Firewall #475

Open
russalex opened this Issue Jun 4, 2016 · 85 comments

Comments

Projects
None yet
@russalex
Copy link
Contributor

russalex commented Jun 4, 2016

Providing a place where people can report issues running 3rd party firewalls. For this, please report:

  1. Confirm your /etc/resolv.conf nameserver matches the DNS server in ipconfig /all.
  2. What AV/Firewall you're currently running (Bitdefender / Kaspersky / etc...).
  3. Steps you've tried to resolve the issue (i.e. turn off the firewall, set the network adapter as trusted, etc...)

We do know from thread #5 that many people with Bitdefender have discovered turning off their firewall and / or setting their network adapter as Trusted (which basically turns off the firewall for that adapter) allows for network connectivity.

Goal of this thread is to help inform us which configurations have issues and help us document any potential workarounds as well as find any bugs / fixes we may need to address.

@russalex russalex added the discussion label Jun 4, 2016

@StfBauer

This comment has been minimized.

Copy link

StfBauer commented Jun 4, 2016

I'm running on Norton 360 and everything seems to work so far. Was able to install and download stuff inside of Bash on Windows.

The only problems I have are more related to the overall network implementation on Bash on Windows. Things such as ifconfig doesn't work or at least display the current IP address. Many NodeJS thing try to be dynamic and try to read the current IP Adress configuration.
This currently fails. Not sure if it is related to Firewall Issue or a general one. I think it is an general problem right now.
I think it would help if you can talk directly to the network configuration or at least have a service that fake or mirror the network adapters.

@mikeguidry

This comment has been minimized.

Copy link

mikeguidry commented Jun 5, 2016

Im using windows firewall and am trying to figure out where this new subsystem relates to configuring it. I hope we figure it out.. I might play around and try some things..

@paladox

This comment has been minimized.

Copy link

paladox commented Jun 7, 2016

Using Norton security works but using Microsoft firewall (Microsoft Defender) stops all internet access in bash I carn't access apache2 or anything with Microsoft firewall.

@cornem

This comment has been minimized.

Copy link

cornem commented Jun 15, 2016

I have BitDefender Endpoint Security (which apparently I cannot turn off, managed by ICT adminstrator) and it does not work. /etc/resolv.conf looks OK:

nameserver 8.8.4.4
nameserver 8.8.8.8
nameserver fec0:0:0:ffff::1
@cfeilen

This comment has been minimized.

Copy link

cfeilen commented Jul 10, 2016

Running AVG Internet Security (16.81.7640), and I am unable to get any network connectivity.
If I disable AVG's Firewall, I can use nslookup, and get a good response for microsoft.com. If I enable the firewall, nslookup fails with: socket.c:1915: internal_send: 75.75.75.75#53: Invalid argument
I can see in my firewall logs that the application is blocking the exe's outbound connection. I tried explicitly adding the executable under %appdata%..\Local\lxss\rootfs\usr\bin\nslookup, but that didn't work.

@cdmackie

This comment has been minimized.

Copy link

cdmackie commented Jul 11, 2016

  1. /etc/resolv.conf is fine
  2. Windows Firewall Control, which is just a friendly wrapper for the standard Windows Firewall.
  3. Disabling (in my case) outgoing blocking lets Bash work fine

I run my system where all outgoing connections are blocked until they are explicitly allowed, and a firewall rule is created,

However, can't seem to find a way to allow pico processes through Windows Firewall as an exception when everything else is blocked.

@cacophobe

This comment has been minimized.

Copy link

cacophobe commented Jul 18, 2016

Faced a boat-load of problems installing and updating Lxss with Kaspersky Total Security (KTS) installed. Tried a lot of workarounds, including unblocking networks, ports, files and folders in KTS and installing and reinstalling the whole Subsystem about five times. Uninstalling KTS solved many of the network issues. I could finally install and update using apt-get and lxrun /update.

#640 #5

@cmgibbs

This comment has been minimized.

Copy link

cmgibbs commented Jul 19, 2016

I'm using AVG Internet security and even if I'm in the trusted network and I've disabled every option on AVG ("turn off firewall until next reboot", etc.) I can't get commands such as apt-get to connect to the internet, I just get a general permission denied error. Nslookup seems to work when I disable the firewall, but nothing else - however - if I uninstall AVG then everything works as it should. I can apt-get and the like without any issue; so it's some sort of issue with the AVG interaction. Any suggestions?

@ramonwirsch

This comment has been minimized.

Copy link

ramonwirsch commented Jul 24, 2016

Avast Internet Security blocks internet as well. All connections seem to just hang forever. Avast's logs show no blocked traffic, deactivating the Firewall resolves this.

@azsde

This comment has been minimized.

Copy link

azsde commented Jul 28, 2016

Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade.

Uninstalling kaspersky works great, disabling it isn't enough.

@cartel0x27

This comment has been minimized.

Copy link

cartel0x27 commented Aug 3, 2016

+1 for broken with windows firewall. No way to create an outbound rule to allow. Disabling the firewall is not a solution.

My configuration is: outbound connections that do not match a rule are blocked.

@allquixotic

This comment has been minimized.

Copy link

allquixotic commented Aug 3, 2016

Setting the adapter to Trusted in Bitdefender "works", but this can't be the long-term solution being proposed by Microsoft. There has to be some way to work with these vendors so that we can get WSL processes whitelisted by the firewall products so we don't have to disable a critical security feature to use basic networking in WSL.

@benhillis

This comment has been minimized.

Copy link
Member

benhillis commented Aug 3, 2016

@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process.

@ZatsuneNoMokou

This comment has been minimized.

Copy link

ZatsuneNoMokou commented Aug 3, 2016

I am using Avast Internet Security, the logs show that it is blocking "System" because no rules found

8d1d2f306fa7e2a6c975511e35c4aaa02

Could it be a problem of a unsigned file? (That's what that red message mean)

Can note that this Firewall blockage block the correct installation too

@cdmackie

This comment has been minimized.

Copy link

cdmackie commented Aug 3, 2016

@benhillis What is, or will there be. the right way to identify these processes in Windows Firewall?

@allanortiz

This comment has been minimized.

Copy link

allanortiz commented Aug 3, 2016

I disable kaspersky firewall and windows firewall, and errors persists (No ping, apt-get with err connections, etc..). I need to remove Kaspersky?? :/

@mikeguidry

This comment has been minimized.

Copy link

mikeguidry commented Aug 3, 2016

Ben,

Is there a way to transform the data into "process information" that those third party firewalls could understand natively? It might be counter productive to ask them to add an entirely new type. I could be wrong long term as Linux processes, and Windows obviously could
Be treated very different...

Lol.. Windows defender is just as good as these firewalls these days. Most use Microsoft detours as their hooks as well.. Maybe not the major but the lower 90%... Oh well.

I think it could be relatively possibly to either in real time translate a connection to requesting attention from prior WSL firewalls either in real time or a linked list being updated? I'm not too sit considering it's closed source and I'm just observing from the outside in. I haven't had a chance to put pico processes under IDA pro.

Have a great week.
Mike

Sent from my iPhone

On Aug 3, 2016, at 12:20 PM, Ben Hillis notifications@github.com wrote:

@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@mikeguidry

This comment has been minimized.

Copy link

mikeguidry commented Aug 3, 2016

Technically it is an unsigned file ;) never before has there been a system polling both file types, and applications together like this.. So it's viewing ELF files (even if somehow getting a hash) as unsigned...

Sent from my iPhone

On Aug 3, 2016, at 1:36 PM, Zatsune No Mokou notifications@github.com wrote:

I am using Avast Internet Security, the logs show that it is blocking "System" because no rules found

Could it be a problem of a unsigned file? (That's what that red message mean)

Can note that this Firewall blockage block the correct installation too


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@degoya

This comment has been minimized.

Copy link

degoya commented Aug 3, 2016

@allanortiz : did you closed or just disabled Kaspersky?
you need to fully close Kaspersky to make it work. Shutting down the Protection for limited Time doesn't work. Also turning of all the firewall services inside of kaspersky won't help.
close Kaspersky and apt should work. no need to fully uninstall it

@allanortiz

This comment has been minimized.

Copy link

allanortiz commented Aug 3, 2016

@degoya just disabled. Can't I work with bash shell having kaspersky activated?

@ZatsuneNoMokou

This comment has been minimized.

Copy link

ZatsuneNoMokou commented Aug 3, 2016

@mikeguidry So, there's nothing to do with Avast to allow it? Or there's a rule to make it work?

@ramonwirsch

This comment has been minimized.

Copy link

ramonwirsch commented Aug 3, 2016

For me, even global rules in Avast were not applied to WSL processes. But disabling the firewall sufficed for getting connections to work.

@ZatsuneNoMokou

This comment has been minimized.

Copy link

ZatsuneNoMokou commented Aug 3, 2016

@ramonwirsch But keeping firewall disabled... xD

@ramonwirsch

This comment has been minimized.

Copy link

ramonwirsch commented Aug 3, 2016

I know, i know... But I use it mainly to compile stuff and only need connectivity for updates or git pulls, so for me it is not too big of a Problem....

@ZatsuneNoMokou

This comment has been minimized.

Copy link

ZatsuneNoMokou commented Aug 3, 2016

But I haven't tried yet, does ssh work with this issue?

@degoya

This comment has been minimized.

Copy link

degoya commented Aug 3, 2016

i think the only thing we could do is wait until all the 3rd party firewalls will update.
For Kaspersky there is already something in the works.

https://forum.kaspersky.com/index.php?s=662d01d349ad8497a83c6ea81871f05e&showtopic=354919

@ZatsuneNoMokou

This comment has been minimized.

Copy link

ZatsuneNoMokou commented Aug 3, 2016

@degoya And you know is there's anything for Avast?

@degoya

This comment has been minimized.

Copy link

degoya commented Aug 3, 2016

@ZatsuneNoMokou : sorry, no idea if there is anything for avast in the works.

@techexo

This comment has been minimized.

Copy link

techexo commented Jan 29, 2018

@sunilmut Is this documentation available online? I cannot find it.

It is really frustrating because WSL was particularly advertised when it was released as a super cool new functionality, finally allowing developers to have the best of both environments, but it is not even compatible with Windows's own firewall! I find strange that companies have updated their softwares under pressure of the community, but Microsoft is not able to do that with one of its own product, while praising Windows Defender & the necessity to use an antivirus and a firewall on personal computers.

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jan 29, 2018

It is inaccurate to describe WSL as incompatible with Windows Firewall. WSL is as compatible with Windows Firewall as Docker.

The blog post on pico processes and antivirus/firewall software is here. Which is kind of beside the point unless you work for a 3rd party antivirus or firewall company, who know how to reach Microsoft and ask.

@vith

This comment has been minimized.

Copy link

vith commented Jan 30, 2018

WSL is as compatible with Windows Firewall as Docker.

I don't think that's quite accurate either.

I just installed Docker on Windows and I was able to get network access in a container. I could use that. (If it didn't use Hyper-V or if Hyper-V being enabled didn't stop Virtualbox or VMWare from working).

In WSL I cannot get any network access. I can't use that.

@sunilmut

This comment has been minimized.

Copy link
Member

sunilmut commented Jan 30, 2018

@techexo - All we are trying to say is that WSL is work in-progress. We never advertised it as "done". As for WSL integration with Windows firewall, as mentioned previously, we are trying to improve integration. They are not fully incompatible. Windows defender does not block WSL processes. The place where the integration of WSL with Windows firewall is lacking is the inability to specifically exclude a WSL process in the firewall. We are looking into improving this experience.

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jan 30, 2018

It seems, from here anyway, that folks are conflating giving WSL it's own network alias (ifconfig eth0 192.168.0.123 up), and the perceived requirement to whitelist /usr/bin/wget in Windows Firewall. The latter makes basically no kind of sense, because /usr/bin/wget isn't signed (by Windows) and can be replaced at will with normal user privileges. Or, if you insist, makes perfect sense (for reasons), but is not the reason you can get out to the Interwebs from a Docker container.

@vith

This comment has been minimized.

Copy link

vith commented Jan 30, 2018

I just meant that the end result for a user with a default block rule in Windows Firewall is that Docker is possible to use and WSL is not. If it is, please let me know!

I would be perfectly fine with just bridging WSL to my network adapter and letting it bypass Windows Firewall altogether, as is the case with the desktop oriented hypervisors I've used.

I'm actually not personally interested in whitelisting individual linux binaries inside WSL, though I would go that route if it were available and necessary.

I'm sure there's 1000 different ways for a truly malicious application to bypass Windows Firewall, as you alude to. I have no expectation that it's a secure solution. And yet Windows Firewall allows path based rules, and many people use them. For stronger security I would use a virtual machine with no networking (and there be subject to VM escapes anyway).

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jan 30, 2018

default block rule in Windows Firewall is that Docker is possible to use and WSL is not. If it is, please let me know!

It is not, AFAIK, because ifconfig eth0 and friends is not supported in WSL. Closest User Voice I could find is here. Maybe there is a better one.

@techexo

This comment has been minimized.

Copy link

techexo commented Jan 30, 2018

They are not fully incompatible. Windows defender does not block WSL processes. The place where the integration of WSL with Windows firewall is lacking is the inability to specifically exclude a WSL process in the firewall.

So it seems that maybe I skipped a step somewhere? Because with quite a classical configuration for a firewall (i.e. block everything going out and going in if it has not been explicitely whitelisted), I understood that WSL as a whole was not exclude-able. Am I wrong? Or "a WSL process" is what you call the entire subsystem running?

I am more in the situation described by @vith and have no interest of whitelisting individual binaries, just having a way to bypass Windows Firewall for WSL, without deactivating the firewall it for the whole system.

@sunilmut

This comment has been minimized.

Copy link
Member

sunilmut commented Jan 30, 2018

There seems to be a general interest towards an "allow all" WSL processes setting in the firewall. I am curious to know where there is coming from. Is it because of DNS queries?

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jan 30, 2018

Yep they want outgoing 53 open. And 80. And 443. Like this. Probably 22. Or pick your port poison.

The ask is because people have spent years in Docker and Cygwin. With Docker you can write firewall rules for Docker's IP address in Linux. With Cygwin you can whitelist wget because it is just a Windows binary. With WSL you cannot.

@vith

This comment has been minimized.

Copy link

vith commented Jan 30, 2018

There seems to be a general interest towards an "allow all" WSL processes setting in the firewall. I am curious to know where there is coming from. Is it because of DNS queries?

In my case it's because I block outbound network access in Windows Firewall by default, so I'm faced with two options:

  1. Change to an outbound default allow firewall setup in Windows Firewall
  2. Zero network access in WSL aka don't use WSL

Right now I just go with option 2.

Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now. I wouldn't bother with per-port rules for my use-case.

I'm sure others have different needs.

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jan 31, 2018

Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now.

That is equivalent to option (1). Because WSL is Windows and anyone who has user privileges that allow them to call call socket() in a win32 executable (the thing you are presumably trying to prevent with your outgoing firewall rules) can call bash.exe -c thing_that_calls_socket instead.

That said, I have no doubt adding a "allow all pico processes" checkbox in Windows Firewall will make people happy anyway. So sure, why not.

@techexo

This comment has been minimized.

Copy link

techexo commented Jan 31, 2018

@therealkenc , good remark indeed. And I suppose there is no way of using iptables with WSL like you would on a classical UNIX system?

@therealkenc

This comment has been minimized.

Copy link
Collaborator

therealkenc commented Jan 31, 2018

Yeah no iptables. Yet.

@aimlessadam

This comment has been minimized.

Copy link

aimlessadam commented Feb 21, 2018

Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting?

thanks!

@yonailo

This comment has been minimized.

Copy link

yonailo commented May 25, 2018

+1 to fix these issues with Kaspersky (still not supported on Kaspersky 11).

I have created a support request
https://forum.kaspersky.com/index.php?/topic/395624-support-for-windows-subsystem-for-linux-wsl/

@Tekki

This comment has been minimized.

Copy link

Tekki commented May 25, 2018

@yonailo I wonder what exactly doesn't work in your case. I've Kaspersky Internet Security installed and use WSL daily to fetch code from GitHub and to connect to my local and external servers without any problems.

@bbday

This comment has been minimized.

Copy link

bbday commented Jun 12, 2018

At the moment to work with Kaspersky AV you must go on settings > advanced > network > monitor port and disables 80/443

@Jacq

This comment has been minimized.

Copy link

Jacq commented Sep 18, 2018

Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade.

Uninstalling kaspersky works great, disabling it isn't enough.

Disabling works for me but it is not unblocked immediately, usually there is a delay of some seconds (less than a minute for sure).

@WillyShum

This comment has been minimized.

Copy link

WillyShum commented Sep 20, 2018

I've got Avast Internet Security and I've tried disabling firewall and included a rule to allow WSL' ping directory full access. But I still cannot ping any thing on wsl ubuntu for windows 10

@dreadnautxbuddha

This comment has been minimized.

Copy link

dreadnautxbuddha commented Sep 23, 2018

I was having issues with my Vagrant on WSL wherein accessing an external API doesn't seem to finish. Checking the logs of the server where the API resides isn't showing anything since I really was not able to connect. Found out that BitDefender was the culprit. For now, I added my API's domain name in the exclusions and everything works fine now.

@Mizumaky

This comment has been minimized.

Copy link

Mizumaky commented Nov 4, 2018

First had a problem failing all connections, then only some, but still couldnt get to install gcc.
Finally solved by trying everything i could:

  • editing /etc/resolv.conf and leaving only line "nameserver 8.8.4.4."
  • looking at the port behind ip adresses of failed connections and trying disabling network protection for the specified port in the antivirus settings (solved only for most connections, not all, even on that port)
  • completely turning off Kaspersky Free anitivirus
  • changing from connection through my dormitory's internet to a wifi connection i shared from my phone
  • (trying apt-get update first)

I dunno if all or only some of this helped, but somehow i got apt-get install gcc to download the rest and work.

@Trass3r

This comment has been minimized.

Copy link

Trass3r commented Dec 12, 2018

Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting?

Yeah any updates?

@Tekki

This comment has been minimized.

Copy link

Tekki commented Dec 12, 2018

An update for Kaspersky: Getting worse with newer versions. Individual processes from WSL like apt-get or git appear in the program list, but even if they are trusted the connection is blocked. Disable controlling of port 80 and 443 (Settings--Additional--Network) solves most of the problems, but of course reduces the security of the system.

@sofsip

This comment has been minimized.

Copy link

sofsip commented Dec 17, 2018

I had the same issue with Zone Alarm Firewall. It seems to block traffic for WSL. Snoozing the firewall or antivirus doesn't work. it has to be stopped completely.

@Hameem1

This comment has been minimized.

Copy link

Hameem1 commented Jan 21, 2019

I'm trying to get a Flask app running via WSL and I can't open it from the browser via 127.0.0.1:5000. I have an Avast antivirus. I tried setting the adapters to private (trusted) and adding rules to allow for wsl.exe and bash.exe. I also added them to the exclusions list just to be sure, but it doesn't work. However, disabling the Avast firewall works but that isn't a real solution. Is there any fix to this by now? It's 2019!

@Tekki

This comment has been minimized.

Copy link

Tekki commented Jan 22, 2019

It's a misunderstanding to think the processes run inside WSL; they run directly on the Windows kernel. If you type for example

perl -E'for (1..60) { say $_; sleep 1 }'

into WSL and open the Windows Task Manager, you will see 'perl' for one minute on the list. This means not WSL or bash, but Perl, Python or whatever process you start needs to be trusted by the firewall. This is probably what the AV developers don't understand.
Of course it's shame that in 2019 these companies still take our money for their security products and are still not able to handle such a Windows feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment