Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "allow" rule to Windows firewall for WSL2 network #4585

Closed
throwable-one opened this issue Oct 9, 2019 · 23 comments
Closed

Add "allow" rule to Windows firewall for WSL2 network #4585

throwable-one opened this issue Oct 9, 2019 · 23 comments

Comments

@throwable-one
Copy link

throwable-one commented Oct 9, 2019

I was trying to connect to Windows machine from Linux and found that it is blocked by default.

WSL virtual NIC connection belongs to "Public" profile and almost all connections are forbidden.

As workaround, I added following rule explicitly:

PS C:\WINDOWS\system32> $myIp = (Ubuntu1804 run "cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2")
PS C:\WINDOWS\system32> $myIp
172.21.0.1
PS C:\WINDOWS\system32>  New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -LocalAddress $myIp -Action Allow

Workaround works. But it would be great to have this rule enabled by default.

@throwable-one
Copy link
Author

How to repro.

On Windows, listen to some port

PS C:\WINDOWS\system32> $Listener = [System.Net.Sockets.TcpListener]80;
PS C:\WINDOWS\system32> $Listener.Start();
PS C:\WINDOWS\system32> $Listener.AcceptSocket();

On WSL2, try to connect to it:
$ telnet $(cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2) 80

You would not be able to connect until you create appropriate firewall rule

@therealkenc
Copy link
Collaborator

#4139

@dansanduleac
Copy link

Nice!
Since the IP might change every time you restart your computer, why not use the inteface?

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

@eromoe
Copy link

eromoe commented May 21, 2020

@dansanduleac This allow ping, but how can I access some port on windows , without shutdown the firewall ?

@Dicridon
Copy link

Nice!
Since the IP might change every time you restart your computer, why not use the inteface?

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

Thank you so much, I searched for about two hours to make WSL2 launch a graphic Emacs, and this command enabled the use of Emacs GUI, many thanks!

@CyberQin
Copy link

CyberQin commented Jun 6, 2020

@dansanduleac This allow ping, but how can I access some port on windows , without shutdown the firewall ?

try add new inbound rule for these ports?

@dansanduleac
Copy link

@eromoe @HQDragon The command I posted should allow you to access anything exposed by Windows from WSL, no matter what port, however bear in mind that any apps you've launched get an automated rule created for them when you first launch them, blocking access from public networks (this is when you get a prompt from Windows Firewall, asking whether the app should be allowed to accept connections from public networks). If you don't explicitly allow, they will be blocked by default, which also blocks connections from WSL. So you might need to find that inbound rule, and change it from block to allow (or just delete it).

More info here (linked from this comment on the original issue #4139 (comment))

@chaoky
Copy link

chaoky commented Oct 21, 2020

Nice!
Since the IP might change every time you restart your computer, why not use the inteface?

New-NetFirewallRule -DisplayName "WSL" -Direction Inbound  -InterfaceAlias "vEthernet (WSL)"  -Action Allow

this should be in the docs

@yakaboskic
Copy link

In case this helps anyone: I was trying to setup a new laptop that I just bought and nothing here worked. That's when I realized the Windows machine I just bought had a McAfee Firewall on it (free one year subscription). So all the windows firewall stuff wasn't actually working cause it wasn't the active Firewall (McAfee was) and they have known compatibility issues with WSL/WSL2. Once I uninstalled the McAfee firewall (you could also just disable it), everything here worked except the telnet stuff. For some reason that still didn't work, but I was able to connect to my X servers no problem, which is probably why most of us were here.

@brucejo75
Copy link

If you are trying to connect to a mongodb follow @dansanduleac advice.

Mongo installs rules MongoDB Database Server on windows that disallow public connections to mongodb. To be able to access from WSL these need to be disabled.

That is 6 hours I won't get back! I hope you are saved that time.

@balexandre
Copy link

balexandre commented Apr 22, 2021

this is still extremely unreliable,
sometimes works, sometimes it does not, other times only works until you shut down the computer 😢

I've

  • restored all Firewall rules
  • added the WSL rule as WSL by interface as
    New-NetFirewallRule -DisplayName "WSL by interface" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow
  • tested without restarting
  • tested after restarting
  • also tried having all Firewalls disabled (Domain, Private and Public) - and restart after change

I can't reach the localhost:8989 from the Windows side and as Ubuntu-20.04 under WSL2 does not have any browser, it's hard to develop in these conditions 😔


  • machine info:
Edition	Windows 10 Pro
Version		20H2
Installed on	‎25-‎06-‎2020
OS build	19042.928
Experience	Windows Feature Experience Pack 120.2212.551.0
  • image below has Ubuntu on the left side and PowerShell on the right side of Windows Terminal 1.7.1033.0, both showing the output of curl http://localhost:8989

image

Does anyone know some reliable trick that I can use to develop web interfaces under WSL2?

@ahillikerMDSOL
Copy link

Does anyone know some reliable trick that I can use to develop web interfaces under WSL2?

You can hit the IP address that Ubuntu is using if you're using the same machine (ifconfig from WSL2 terminal will give you this address) - is that what you mean?

What I'm running into is trying to hit that IP from a wifi connected device like a phone or something.

I'm definitely in over my head here, but was hoping changing the -InterfaceAlias to 'vWan' or something would do the trick, but a) I don't know where to find the correct term for that alias, and b) I don't know if that's even how it works - maybe WSL interprets incoming wifi requests through the vEthernet adapter?

@celowsky
Copy link

celowsky commented May 9, 2021

I'm still having this issue as well when trying to debug my application from within the WSL using Intellij's Pycharm

@stopal
Copy link

stopal commented Jul 13, 2021

@eromoe @HQDragon The command I posted should allow you to access anything exposed by Windows from WSL, no matter what port, however bear in mind that any apps you've launched get an automated rule created for them when you first launch them, blocking access from public networks (this is when you get a prompt from Windows Firewall, asking whether the app should be allowed to accept connections from public networks). If you don't explicitly allow, they will be blocked by default, which also blocks connections from WSL. So you might need to find that inbound rule, and change it from block to allow (or just delete it).

More info here (linked from this comment on the original issue #4139 (comment))

Thank you so much for that hint! I was about to give up. Setting up the specific IP Range for the "Remote IP Adresses" has done the trick for me. -> #4139 (comment)

@diegolikescode
Copy link

Sometimes I have problems with the WSL network, but this always do the trick: Get-Service LxssManager | Restart-Service this just reboots the WSL, and I can access "localhost:4321" normally again, I have to run this every time I start Windows.

@davelet
Copy link

davelet commented Jan 19, 2022

I resolved it as this thread: #4139 (comment)

@mcicat
Copy link

mcicat commented Mar 8, 2022

Thank You! This solved an issue I've been facing for over a month. For some reason after updating to Windows 11, fetching repositories by VSCode (which was started from WSL) was unbearably slow. This solved it!

@marriagav
Copy link

Does anyone know how to do this for an outbound rule? I´ve tried just changing the direction to no success

@MrPointer
Copy link

Does anyone know how to do this for an outbound rule? I´ve tried just changing the direction to no success

@marriagav Very naively, I tried this:
New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

And it worked for me! This is the only thing that has worked in fact, among tons of others that I've tried 😄

@merajhasan88
Copy link

merajhasan88 commented Sep 1, 2022

I tried all of the above as well as this thread: [https://github.com//issues/4139] to no avail. Windows 21H2

Just trying to use GTK-3 on VSCode with a WSL2 Ubuntu terminal. Using VcXsrv running in background.
I run this command on a small Hello World code:
gcc pkg-config --cflags gtk+-3.0 -o gui hello.c pkg-config --libs gtk+-3.0
and it gives a 'gui' object. I run:
./gui
and it says:

Unable to init server: Could not connect: Connection refused

(gui:32): Gtk-WARNING **: 10:51:06.383: cannot open display:

I installed xfce4 but that doesnt work too. Upon running this:
xfce4-session
I get this:

Unable to init server: Could not connect: Connection refused
xfce4-session: Cannot open display: .
Type 'xfce4-session --help' for usage.

Restarted everything several times.

@kenvix
Copy link

kenvix commented Jan 1, 2023

For my instances, New-NetFirewallRule doesn't work and I don't know why. I use Set-NetFirewallProfile to directly disable firewall on WSL2 interface instead to add a rule and allow it.

#Requires -RunAsAdministrator

Set-NetFirewallProfile -Profile Private -DisabledInterfaceAliases "vEthernet (WSL)"
Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases "vEthernet (WSL)"

@pigLoveRabbit520
Copy link

win 11 failed:
netsh interface ipv4 show interfaces got

 1          75  4294967295  connected     Loopback Pseudo-Interface 1
 11          25        1500  disconnected  WLAN
  7          25        1500  connected     以太网
  8          25        1500  disconnected  本地连接* 9
  6          25        1500  disconnected  本地连接* 10
 17          65        1500  disconnected  蓝牙网络连接
 25        5000        1500  connected     vEthernet (Default Switch)
 53        5000        1500  connected     vEthernet (WSL (Hyper-V firewall))

so after I do New-NetFirewallRule -DisplayName "WSL" -Direction Inbound -InterfaceAlias "vEthernet (WSL (Hyper-V firewall))" -Action Allow, I still cannot access the service on windows from wsl2.

@KeisukeeLee
Copy link

Does anyone know how to do this for an outbound rule? I´ve tried just changing the direction to no success

@marriagav Very naively, I tried this: New-NetFirewallRule -DisplayName "WSL" -Direction Outbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

And it worked for me! This is the only thing that has worked in fact, among tons of others that I've tried 😄

I tested this. This is work for not only WSL NIC but all Interfaces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests