WSL2 Traffic not getting blocked

[subvert0r]

I'm not sure if I'm missing something or not, but it seems like this project is claiming to be able to block WSL2 VMs connections.

I have set the TinyWall to block all connections, but still the WSL2 ubuntu machine that I am testing it with doesn't get blocked?

And WSL2 is not in the exception list of the app (special exceptions).

Are you guys sure that TinyWall is able to filter WSL2 VMs connections?

[subvert0r]

Same for Windows 10..

[pylorak]

It should be able to block it indeed. This will need further testing and possibly a fix.

[9ao9ai9ar]

If you try with domain names instead of IPs, the connections do seem to be blocked. I also remember reading articles about the risks of enabling WSL 2 because it completely bypasses Windows Firewall, so I'm unsure how TinyWall can block it in the first place, but maybe I'm just misinformed.

[subvert0r]

If you try with domain names instead of IPs, the connections do seem to be blocked. I also remember reading articles about the risks of enabling WSL 2 because it completely bypasses Windows Firewall, so I'm unsure how TinyWall can block it in the first place, but maybe I'm just misinformed.

But if TinyWall can't block WSL2, then what's the point of having these WSL2 stuff in it such as WSL 2 exception and what not, what's the point, why not remove these altogether?

[9ao9ai9ar]

But if TinyWall can't block WSL2, then what's the point of having these WSL2 stuff in it such as WSL 2 exception and what not, what's the point, why not remove these altogether?

@subvert0r Good point, it's giving users a false sense of security, but it is Microsoft who introduced this backdoor, which you can read in this official "discussion" (read: it's a feature not a bug, they even locked the original issue to tell you this). If you follow the instructions provided there for Windows 11, you might be able to block WSL traffic using Windows Firewall, which might be transferable to TinyWall, too.

[pylorak]

@9ao9ai9ar Very good find, thanks! I suspect this is the reason this feature is broken now. According to this article, there is a new HyperV option called firewall on Win11 that you can set to true to make the firewall rules apply to WSL. Setting networkingMode=mirrored may also help. I haven't tested these options yet.

@subvert0r The point of having this option in TinyWall is that it used to work, and I didn't know Microsoft broke it until you reported it (I am not using WSL2 myself so I didn't notice, I only tested it once when the feature in TinyWall was developed). The way it used to work is that all WSL2-traffic also ran through the Windows Filtering Platform (let's just say the "Windows Firewall"), and Microsoft routed all traffic from/to WSL2 containers through a virtual ethernet adapter called "vEthernet (WSL)". TinyWall blocked or allowed traffic from/to this adapter based whether the special exception for WSL2 was enabled or not in TinyWall. The issue and discussion found by 9ao9ai9ar leads me to believe that Microsoft updated WSL2 since then, in a way that it now completely bypasses the Windows Filtering Platform unless you use one or more of the above mentioned options in Windows 11.