Simplewall: WSL2: allow connections via a custom rule

Created on 15 Jun 2020  路  9Comments  路  Source: henrypp/simplewall

Microsoft has enabled in its recent 2004 update WSL2 and I can't seem to understand how to allow its traffic, I don't see any prompts and the only way to allow traffic is to disable simplewall or both of these rules:
Block inbound connections for all
Prevent port scanning

Is there a way to keep those rules enabled, but create an exception for WSL2?
Thank you!

question
Source
picture eugenesvk
👍2

Most helpful comment

Working here with svchost enabled.
Or create a custom rule for svchost.exe allowing inbound udp traffic between ports 32768-61000

picture GetzMikalsen on 1 Jul 2020
👍2

All 9 comments

I have the same Problem. With WSL1 i got a Popup for the Tool that wanted to connect (e.g. ping). If i can help further with extended logs or something similiar, i would be glad to help.
I installed WSL2 yesterday and only used PengWin so far.

nedimAT picture nedimAT on 23 Jun 2020

+1

bullshit picture bullshit on 23 Jun 2020

Working here with svchost enabled.
Or create a custom rule for svchost.exe allowing inbound udp traffic between ports 32768-61000

GetzMikalsen picture GetzMikalsen on 1 Jul 2020
👍2

works for me :), thank you
image

nedimAT picture nedimAT on 2 Jul 2020

Thanks, @GetzMikalsen, this does indeed help, though do you know if there is a more narrow range to open for this shared host process?

eugenesvk picture eugenesvk on 2 Jul 2020

Thanks, @GetzMikalsen, this does indeed help, though do you know if there is a more narrow range to open for this shared host process?

Not as I'm aware of without modifying the network system in windows/WSL.
Normally dynamic ports range between 49152 and 61000 but the Linux kernel being used uses ports from 32768.
We could file a report to the WSL2 repo to by default limit the ports used for inbound UDP traffic. This is one of the caveats of running Linux in a virtual machine rather than using the window networking stack as in WSL1.
But I will try changing the config on my install. You can check what port range is used on your machine but running
cat /proc/sys/net/ipv4/ip_local_port_range

You can read more here
https://serverfault.com/questions/222606/how-can-i-reject-all-incoming-udp-packets-except-for-dns-lookups
and here
https://en.wikipedia.org/wiki/Ephemeral_port

GetzMikalsen picture GetzMikalsen on 3 Jul 2020
👍1

Can confirm that # echo 32768 32768 > /proc/sys/net/ipv4/ip_local_port_range works to set the port used to 32768, Im not advising you to do this but it does enable you to limit the port range

GetzMikalsen picture GetzMikalsen on 3 Jul 2020
👍1

new WSL2 networking works from Windows service, because allowing svchost and "apg get" is working, but this is no solution.
there is question is which Windows service WSL2 used? if anyone know, please write about it.

henrypp picture henrypp on 10 Jul 2020
👍1

Similar problem with WSL2

When simplewall is enabled:
image

When simplewall is disabled:
image

I have added multiple executables to exclusions in simplewall:

  • bash.exe
  • ubuntu.exe
  • wsl.exe
  • wslhost.exe
  • vmcompute.exe
  • vmwp.exe

with no effect..

EDIT:
@henrypp

there is question is which Windows service WSL2 used? if anyone know, please write about it.

The service is called SharedAccess.
C:\Windows\System32\ipnathlp.dll

rudolphos picture rudolphos on 24 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

p-groarke picture p-groarke  路  4Comments
Radagast picture Radagast  路  4Comments
ltGuillaume picture ltGuillaume  路  3Comments
callmenemo491 picture callmenemo491  路  3Comments
shiftyshady picture shiftyshady  路  4Comments