Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WSL2 Is bypassing windows firewall rules. #10569

Closed
1 of 2 tasks
rjadidi920 opened this issue Oct 1, 2023 · 1 comment
Closed
1 of 2 tasks

WSL2 Is bypassing windows firewall rules. #10569

rjadidi920 opened this issue Oct 1, 2023 · 1 comment

Comments

@rjadidi920
Copy link

Windows Version

Windows 10,11

WSL Version

2

Are you using WSL 1 or WSL 2?

  • WSL 2
  • WSL 1

Kernel Version

No response

Distro Version

No response

Other Software

No response

Repro Steps

Add a outbound blocking rule in firewall for port 22.
Use a WSL2 linux VM. SSH to a server, it doesn't get blocked by the firewall rule.

Expected Behavior

Blocking SSH of the WSL2 VMs.

Actual Behavior

Not blocking SSH connection of WSL2 VMs.

Diagnostic Logs

No response
@elsaco
Copy link

elsaco commented Oct 1, 2023

@rjadidi920 latest WSL beta release added an experimental option to firewall your WSL containers. See details at https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update. This works on Windows 11 only! Windows 10 doesn't support networkingMode=mirrored option. Blocking port 22 on host and with firewall=true set in .wslconfig seems to work. It adds a new NetFirewallHyperVRule to prevent outbound SSH connections:

PS C:\Users\elsaco> Get-NetFirewallHyperVRule -DisplayName NoSSH-Outbound

Name                  : {F17FEC1C-24F1-4E76-923E-E22AF8B67B2C}
DisplayName           : NoSSH-Outbound
Direction             : Outbound
VMCreatorId           : Any
Protocol              : TCP
LocalAddresses        : Any
LocalPorts            : Any
RemoteAddresses       : Any
RemotePorts           : 22
Action                : Block
Enabled               : True
EnforcementStatus     : OK
PolicyStoreSourceType : HostFirewallLocal
Profiles              : Any

Output when trying to connect from WSL to a local host:

PS C:\Users\elsaco> ssh tux@raspi
ssh: connect to host raspi port 22: Permission denied

This is the firewall rule on Windows side that gets mirrored to WSL side:

PS C:\Users\elsaco> Get-NetFirewallRule -DisplayName NoSSH-Outbound

Name                          : {F17FEC1C-24F1-4E76-923E-E22AF8B67B2C}
DisplayName                   : NoSSH-Outbound
Description                   : Block outbound SSH connections
DisplayGroup                  :
Group                         :
Enabled                       : True
Profile                       : Any
Platform                      : {}
Direction                     : Outbound
Action                        : Block
EdgeTraversalPolicy           : Block
LooseSourceMapping            : False
LocalOnlyMapping              : False
Owner                         :
PrimaryStatus                 : OK
Status                        : The rule was parsed successfully from the store. (65536)
EnforcementStatus             : NotApplicable
PolicyStoreSource             : PersistentStore
PolicyStoreSourceType         : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId                   :

@microsoft microsoft locked and limited conversation to collaborators Oct 2, 2023
@benhillis benhillis converted this issue into discussion #10579 Oct 2, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elsaco @rjadidi920