No internet with 3rd party AV/Firewall

[russalex]

Providing a place where people can report issues running 3rd party firewalls. For this, please report:

1. Confirm your /etc/resolv.conf nameserver matches the DNS server in ipconfig /all.
2. What AV/Firewall you're currently running (Bitdefender / Kaspersky / etc...).
3. Steps you've tried to resolve the issue (i.e. turn off the firewall, set the network adapter as trusted, etc...)

We do know from thread #5 that many people with Bitdefender have discovered turning off their firewall and / or setting their network adapter as Trusted (which basically turns off the firewall for that adapter) allows for network connectivity.

Goal of this thread is to help inform us which configurations have issues and help us document any potential workarounds as well as find any bugs / fixes we may need to address.

[StfBauer]

I'm running on Norton 360 and everything seems to work so far. Was able to install and download stuff inside of Bash on Windows.

The only problems I have are more related to the overall network implementation on Bash on Windows. Things such as ifconfig doesn't work or at least display the current IP address. Many NodeJS thing try to be dynamic and try to read the current IP Adress configuration.
This currently fails. Not sure if it is related to Firewall Issue or a general one. I think it is an general problem right now.
I think it would help if you can talk directly to the network configuration or at least have a service that fake or mirror the network adapters.

[mikeguidry]

Im using windows firewall and am trying to figure out where this new subsystem relates to configuring it. I hope we figure it out.. I might play around and try some things..

[paladox]

Using Norton security works but using Microsoft firewall (Microsoft Defender) stops all internet access in bash I carn't access apache2 or anything with Microsoft firewall.

[cornem]

I have BitDefender Endpoint Security (which apparently I cannot turn off, managed by ICT adminstrator) and it does not work. /etc/resolv.conf looks OK:

nameserver 8.8.4.4
nameserver 8.8.8.8
nameserver fec0:0:0:ffff::1

[cfeilen]

Running AVG Internet Security (16.81.7640), and I am unable to get any network connectivity.
If I disable AVG's Firewall, I can use nslookup, and get a good response for microsoft.com. If I enable the firewall, nslookup fails with: socket.c:1915: internal_send: 75.75.75.75#53: Invalid argument
I can see in my firewall logs that the application is blocking the exe's outbound connection. I tried explicitly adding the executable under %appdata%..\Local\lxss\rootfs\usr\bin\nslookup, but that didn't work.

[cdmackie]

1. /etc/resolv.conf is fine
2. Windows Firewall Control, which is just a friendly wrapper for the standard Windows Firewall.
3. Disabling (in my case) outgoing blocking lets Bash work fine

I run my system where all outgoing connections are blocked until they are explicitly allowed, and a firewall rule is created,

However, can't seem to find a way to allow pico processes through Windows Firewall as an exception when everything else is blocked.

[cacophobe]

Faced a boat-load of problems installing and updating Lxss with Kaspersky Total Security (KTS) installed. Tried a lot of workarounds, including unblocking networks, ports, files and folders in KTS and installing and reinstalling the whole Subsystem about five times. Uninstalling KTS solved many of the network issues. I could finally install and update using apt-get and lxrun /update.

#640 #5

[cmgibbs]

I'm using AVG Internet security and even if I'm in the trusted network and I've disabled every option on AVG ("turn off firewall until next reboot", etc.) I can't get commands such as apt-get to connect to the internet, I just get a general permission denied error. Nslookup seems to work when I disable the firewall, but nothing else - however - if I uninstall AVG then everything works as it should. I can apt-get and the like without any issue; so it's some sort of issue with the AVG interaction. Any suggestions?

[ramonwirsch]

Avast Internet Security blocks internet as well. All connections seem to just hang forever. Avast's logs show no blocked traffic, deactivating the Firewall resolves this.

[azsde]

Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade.

Uninstalling kaspersky works great, disabling it isn't enough.

[cartel0x27]

+1 for broken with windows firewall. No way to create an outbound rule to allow. Disabling the firewall is not a solution.

My configuration is: outbound connections that do not match a rule are blocked.

[allquixotic]

Setting the adapter to Trusted in Bitdefender "works", but this can't be the long-term solution being proposed by Microsoft. There has to be some way to work with these vendors so that we can get WSL processes whitelisted by the firewall products so we don't have to disable a critical security feature to use basic networking in WSL.

[benhillis]

@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process.

[ZatsuneNoMokou]

I am using Avast Internet Security, the logs show that it is blocking "System" because no rules found

Could it be a problem of a unsigned file? (That's what that red message mean)

Can note that this Firewall blockage block the correct installation too

[cdmackie]

@benhillis What is, or will there be. the right way to identify these processes in Windows Firewall?

[allanortiz]

I disable kaspersky firewall and windows firewall, and errors persists (No ping, apt-get with err connections, etc..). I need to remove Kaspersky?? :/

[mikeguidry]

Ben,

Is there a way to transform the data into "process information" that those third party firewalls could understand natively? It might be counter productive to ask them to add an entirely new type. I could be wrong long term as Linux processes, and Windows obviously could
Be treated very different...

Lol.. Windows defender is just as good as these firewalls these days. Most use Microsoft detours as their hooks as well.. Maybe not the major but the lower 90%... Oh well.

I think it could be relatively possibly to either in real time translate a connection to requesting attention from prior WSL firewalls either in real time or a linked list being updated? I'm not too sit considering it's closed source and I'm just observing from the outside in. I haven't had a chance to put pico processes under IDA pro.

Have a great week.
Mike

Sent from my iPhone

On Aug 3, 2016, at 12:20 PM, Ben Hillis notifications@github.com wrote:

@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[mikeguidry]

Technically it is an unsigned file ;) never before has there been a system polling both file types, and applications together like this.. So it's viewing ELF files (even if somehow getting a hash) as unsigned...

Sent from my iPhone

On Aug 3, 2016, at 1:36 PM, Zatsune No Mokou notifications@github.com wrote:

I am using Avast Internet Security, the logs show that it is blocking "System" because no rules found

Could it be a problem of a unsigned file? (That's what that red message mean)

Can note that this Firewall blockage block the correct installation too

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[degoya]

@allanortiz : did you closed or just disabled Kaspersky?
you need to fully close Kaspersky to make it work. Shutting down the Protection for limited Time doesn't work. Also turning of all the firewall services inside of kaspersky won't help.
close Kaspersky and apt should work. no need to fully uninstall it

[allanortiz]

@degoya just disabled. Can't I work with bash shell having kaspersky activated?

[ZatsuneNoMokou]

@mikeguidry So, there's nothing to do with Avast to allow it? Or there's a rule to make it work?

[ramonwirsch]

For me, even global rules in Avast were not applied to WSL processes. But disabling the firewall sufficed for getting connections to work.

[ZatsuneNoMokou]

@ramonwirsch But keeping firewall disabled... xD

[ramonwirsch]

I know, i know... But I use it mainly to compile stuff and only need connectivity for updates or git pulls, so for me it is not too big of a Problem....

[ZatsuneNoMokou]

But I haven't tried yet, does ssh work with this issue?

[degoya]

i think the only thing we could do is wait until all the 3rd party firewalls will update.
For Kaspersky there is already something in the works.

https://forum.kaspersky.com/index.php?s=662d01d349ad8497a83c6ea81871f05e&showtopic=354919

[ZatsuneNoMokou]

@degoya And you know is there's anything for Avast?

[degoya]

@ZatsuneNoMokou : sorry, no idea if there is anything for avast in the works.

[techexo]

@sunilmut Is this documentation available online? I cannot find it.

It is really frustrating because WSL was particularly advertised when it was released as a super cool new functionality, finally allowing developers to have the best of both environments, but it is not even compatible with Windows's own firewall! I find strange that companies have updated their softwares under pressure of the community, but Microsoft is not able to do that with one of its own product, while praising Windows Defender & the necessity to use an antivirus and a firewall on personal computers.

[therealkenc]

It is inaccurate to describe WSL as incompatible with Windows Firewall. WSL is as compatible with Windows Firewall as Docker.

The blog post on pico processes and antivirus/firewall software is here. Which is kind of beside the point unless you work for a 3rd party antivirus or firewall company, who know how to reach Microsoft and ask.

[vith]

WSL is as compatible with Windows Firewall as Docker.

I don't think that's quite accurate either.

I just installed Docker on Windows and I was able to get network access in a container. I could use that. (If it didn't use Hyper-V or if Hyper-V being enabled didn't stop Virtualbox or VMWare from working).

In WSL I cannot get any network access. I can't use that.

[sunilmut]

@techexo - All we are trying to say is that WSL is work in-progress. We never advertised it as "done". As for WSL integration with Windows firewall, as mentioned previously, we are trying to improve integration. They are not fully incompatible. Windows defender does not block WSL processes. The place where the integration of WSL with Windows firewall is lacking is the inability to specifically exclude a WSL process in the firewall. We are looking into improving this experience.

[therealkenc]

It seems, from here anyway, that folks are conflating giving WSL it's own network alias (ifconfig eth0 192.168.0.123 up), and the perceived requirement to whitelist /usr/bin/wget in Windows Firewall. The latter makes basically no kind of sense, because /usr/bin/wget isn't signed (by Windows) and can be replaced at will with normal user privileges. Or, if you insist, makes perfect sense (for reasons), but is not the reason you can get out to the Interwebs from a Docker container.

[vith]

I just meant that the end result for a user with a default block rule in Windows Firewall is that Docker is possible to use and WSL is not. If it is, please let me know!

I would be perfectly fine with just bridging WSL to my network adapter and letting it bypass Windows Firewall altogether, as is the case with the desktop oriented hypervisors I've used.

I'm actually not personally interested in whitelisting individual linux binaries inside WSL, though I would go that route if it were available and necessary.

I'm sure there's 1000 different ways for a truly malicious application to bypass Windows Firewall, as you alude to. I have no expectation that it's a secure solution. And yet Windows Firewall allows path based rules, and many people use them. For stronger security I would use a virtual machine with no networking (and there be subject to VM escapes anyway).

[therealkenc]

default block rule in Windows Firewall is that Docker is possible to use and WSL is not. If it is, please let me know!

It is not, AFAIK, because ifconfig eth0 and friends is not supported in WSL. Closest User Voice I could find is here. Maybe there is a better one.

[techexo]

They are not fully incompatible. Windows defender does not block WSL processes. The place where the integration of WSL with Windows firewall is lacking is the inability to specifically exclude a WSL process in the firewall.

So it seems that maybe I skipped a step somewhere? Because with quite a classical configuration for a firewall (i.e. block everything going out and going in if it has not been explicitely whitelisted), I understood that WSL as a whole was not exclude-able. Am I wrong? Or "a WSL process" is what you call the entire subsystem running?

I am more in the situation described by @vith and have no interest of whitelisting individual binaries, just having a way to bypass Windows Firewall for WSL, without deactivating the firewall it for the whole system.

[sunilmut]

There seems to be a general interest towards an "allow all" WSL processes setting in the firewall. I am curious to know where there is coming from. Is it because of DNS queries?

[therealkenc]

Yep they want outgoing 53 open. And 80. And 443. Like this. Probably 22. Or pick your port poison.

The ask is because people have spent years in Docker and Cygwin. With Docker you can write firewall rules for Docker's IP address in Linux. With Cygwin you can whitelist wget because it is just a Windows binary. With WSL you cannot.

[vith]

There seems to be a general interest towards an "allow all" WSL processes setting in the firewall. I am curious to know where there is coming from. Is it because of DNS queries?

In my case it's because I block outbound network access in Windows Firewall by default, so I'm faced with two options:

1. Change to an outbound default allow firewall setup in Windows Firewall
2. Zero network access in WSL aka don't use WSL

Right now I just go with option 2.

Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now. I wouldn't bother with per-port rules for my use-case.

I'm sure others have different needs.

[therealkenc]

Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now.

That is equivalent to option (1). Because WSL is Windows and anyone who has user privileges that allow them to call call socket() in a win32 executable (the thing you are presumably trying to prevent with your outgoing firewall rules) can call bash.exe -c thing_that_calls_socket instead.

That said, I have no doubt adding a "allow all pico processes" checkbox in Windows Firewall will make people happy anyway. So sure, why not.

[techexo]

@therealkenc , good remark indeed. And I suppose there is no way of using iptables with WSL like you would on a classical UNIX system?

[therealkenc]

Yeah no iptables. Yet.

[aimlessadam]

Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting?

thanks!

[yonailo]

+1 to fix these issues with Kaspersky (still not supported on Kaspersky 11).

I have created a support request
https://forum.kaspersky.com/index.php?/topic/395624-support-for-windows-subsystem-for-linux-wsl/

[Tekki]

@yonailo I wonder what exactly doesn't work in your case. I've Kaspersky Internet Security installed and use WSL daily to fetch code from GitHub and to connect to my local and external servers without any problems.

[bbday]

At the moment to work with Kaspersky AV you must go on settings > advanced > network > monitor port and disables 80/443

[Jacq]

Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade.

Uninstalling kaspersky works great, disabling it isn't enough.

Disabling works for me but it is not unblocked immediately, usually there is a delay of some seconds (less than a minute for sure).

[WillyShum]

I've got Avast Internet Security and I've tried disabling firewall and included a rule to allow WSL' ping directory full access. But I still cannot ping any thing on wsl ubuntu for windows 10

[dreadnautxbuddha]

I was having issues with my Vagrant on WSL wherein accessing an external API doesn't seem to finish. Checking the logs of the server where the API resides isn't showing anything since I really was not able to connect. Found out that BitDefender was the culprit. For now, I added my API's domain name in the exclusions and everything works fine now.

[Mizumaky]

First had a problem failing all connections, then only some, but still couldnt get to install gcc.
Finally solved by trying everything i could:

• editing /etc/resolv.conf and leaving only line "nameserver 8.8.4.4."
• looking at the port behind ip adresses of failed connections and trying disabling network protection for the specified port in the antivirus settings (solved only for most connections, not all, even on that port)
• completely turning off Kaspersky Free anitivirus
• changing from connection through my dormitory's internet to a wifi connection i shared from my phone
• (trying apt-get update first)

I dunno if all or only some of this helped, but somehow i got apt-get install gcc to download the rest and work.

[Trass3r]

Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting?

Yeah any updates?

[Tekki]

An update for Kaspersky: Getting worse with newer versions. Individual processes from WSL like apt-get or git appear in the program list, but even if they are trusted the connection is blocked. Disable controlling of port 80 and 443 (Settings--Additional--Network) solves most of the problems, but of course reduces the security of the system.

[sofsip]

I had the same issue with Zone Alarm Firewall. It seems to block traffic for WSL. Snoozing the firewall or antivirus doesn't work. it has to be stopped completely.

[Hameem1]

I'm trying to get a Flask app running via WSL and I can't open it from the browser via 127.0.0.1:5000. I have an Avast antivirus. I tried setting the adapters to private (trusted) and adding rules to allow for wsl.exe and bash.exe. I also added them to the exclusions list just to be sure, but it doesn't work. However, disabling the Avast firewall works but that isn't a real solution. Is there any fix to this by now? It's 2019!

[Tekki]

It's a misunderstanding to think the processes run inside WSL; they run directly on the Windows kernel. If you type for example

perl -E'for (1..60) { say $_; sleep 1 }'

into WSL and open the Windows Task Manager, you will see 'perl' for one minute on the list. This means not WSL or bash, but Perl, Python or whatever process you start needs to be trusted by the firewall. This is probably what the AV developers don't understand.
Of course it's shame that in 2019 these companies still take our money for their security products and are still not able to handle such a Windows feature.