WSL2: allow connections via a custom rule

[eugenesvk]

Microsoft has enabled in its recent 2004 update WSL2 and I can't seem to understand how to allow its traffic, I don't see any prompts and the only way to allow traffic is to disable simplewall or both of these rules: Block inbound connections for all Prevent port scanning

Is there a way to keep those rules enabled, but create an exception for WSL2? Thank you!

[nedimAT]

I have the same Problem. With WSL1 i got a Popup for the Tool that wanted to connect (e.g. ping). If i can help further with extended logs or something similiar, i would be glad to help. I installed WSL2 yesterday and only used PengWin so far.

[bullshit]

+1

[soppelmann]

Working here with svchost enabled. Or create a custom rule for svchost.exe allowing inbound udp traffic between ports 32768-61000

[nedimAT]

works for me :), thank you

[eugenesvk]

Thanks, @GetzMikalsen, this does indeed help, though do you know if there is a more narrow range to open for this shared host process?

[soppelmann]

Thanks, @GetzMikalsen, this does indeed help, though do you know if there is a more narrow range to open for this shared host process?

Not as I'm aware of without modifying the network system in windows/WSL. Normally dynamic ports range between 49152 and 61000 but the Linux kernel being used uses ports from 32768. We could file a report to the WSL2 repo to by default limit the ports used for inbound UDP traffic. This is one of the caveats of running Linux in a virtual machine rather than using the window networking stack as in WSL1. But I will try changing the config on my install. You can check what port range is used on your machine but running cat /proc/sys/net/ipv4/ip_local_port_range

You can read more here https://serverfault.com/questions/222606/how-can-i-reject-all-incoming-udp-packets-except-for-dns-lookups and here https://en.wikipedia.org/wiki/Ephemeral_port

[soppelmann]

Can confirm that # echo 32768 32768 > /proc/sys/net/ipv4/ip_local_port_range works to set the port used to 32768, Im not advising you to do this but it does enable you to limit the port range

[henrypp]

new WSL2 networking works from Windows service, because allowing svchost and "apg get" is working, but this is no solution. there is question is which Windows service WSL2 used? if anyone know, please write about it.

[rudolphos]

Similar problem with WSL2

When simplewall is enabled:

When simplewall is disabled:

I have added multiple executables to exclusions in simplewall:

• bash.exe
• ubuntu.exe
• wsl.exe
• wslhost.exe
• vmcompute.exe
• vmwp.exe

with no effect..

EDIT: @henrypp

there is question is which Windows service WSL2 used? if anyone know, please write about it.

The service is called SharedAccess. C:\Windows\System32\ipnathlp.dll

[rojnwa]

I can confirm that adding an exception for SharedAccess via the services tab will make WSL2 work flawlessly.

No idea if that's at least a little bit better than allowing svchost completely but I'd assume so. I guess you can mark this as solved.

[yiskaneto]

I can confirm that adding an exception for SharedAccess via the services tab will make WSL2 work flawlessly.

No idea if that's at least a little bit better than allowing svchost completely but I'd assume so. I guess you can mark this as solved.

This worked for me as well, thanks :)

[braminsign]

This wont work for me.

When i`ll disable the filter everthings works. But i cannot allow this emtpy application :)