Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No internet with 3rd party AV/Firewall #475

Closed
russalex opened this issue Jun 4, 2016 · 91 comments
Closed

No internet with 3rd party AV/Firewall #475

russalex opened this issue Jun 4, 2016 · 91 comments
Labels

Comments

@russalex
Copy link
Contributor

russalex commented Jun 4, 2016

Providing a place where people can report issues running 3rd party firewalls. For this, please report:

  1. Confirm your /etc/resolv.conf nameserver matches the DNS server in ipconfig /all.
  2. What AV/Firewall you're currently running (Bitdefender / Kaspersky / etc...).
  3. Steps you've tried to resolve the issue (i.e. turn off the firewall, set the network adapter as trusted, etc...)

We do know from thread #5 that many people with Bitdefender have discovered turning off their firewall and / or setting their network adapter as Trusted (which basically turns off the firewall for that adapter) allows for network connectivity.

Goal of this thread is to help inform us which configurations have issues and help us document any potential workarounds as well as find any bugs / fixes we may need to address.

@StfBauer
Copy link

StfBauer commented Jun 4, 2016

I'm running on Norton 360 and everything seems to work so far. Was able to install and download stuff inside of Bash on Windows.

The only problems I have are more related to the overall network implementation on Bash on Windows. Things such as ifconfig doesn't work or at least display the current IP address. Many NodeJS thing try to be dynamic and try to read the current IP Adress configuration.
This currently fails. Not sure if it is related to Firewall Issue or a general one. I think it is an general problem right now.
I think it would help if you can talk directly to the network configuration or at least have a service that fake or mirror the network adapters.

@mikeguidry
Copy link

Im using windows firewall and am trying to figure out where this new subsystem relates to configuring it. I hope we figure it out.. I might play around and try some things..

@paladox
Copy link

paladox commented Jun 7, 2016

Using Norton security works but using Microsoft firewall (Microsoft Defender) stops all internet access in bash I carn't access apache2 or anything with Microsoft firewall.

@cornem
Copy link

cornem commented Jun 15, 2016

I have BitDefender Endpoint Security (which apparently I cannot turn off, managed by ICT adminstrator) and it does not work. /etc/resolv.conf looks OK:

nameserver 8.8.4.4
nameserver 8.8.8.8
nameserver fec0:0:0:ffff::1

@cfeilen
Copy link

cfeilen commented Jul 10, 2016

Running AVG Internet Security (16.81.7640), and I am unable to get any network connectivity.
If I disable AVG's Firewall, I can use nslookup, and get a good response for microsoft.com. If I enable the firewall, nslookup fails with: socket.c:1915: internal_send: 75.75.75.75#53: Invalid argument
I can see in my firewall logs that the application is blocking the exe's outbound connection. I tried explicitly adding the executable under %appdata%..\Local\lxss\rootfs\usr\bin\nslookup, but that didn't work.

@cdmackie
Copy link

  1. /etc/resolv.conf is fine
  2. Windows Firewall Control, which is just a friendly wrapper for the standard Windows Firewall.
  3. Disabling (in my case) outgoing blocking lets Bash work fine

I run my system where all outgoing connections are blocked until they are explicitly allowed, and a firewall rule is created,

However, can't seem to find a way to allow pico processes through Windows Firewall as an exception when everything else is blocked.

@cacophobe
Copy link

Faced a boat-load of problems installing and updating Lxss with Kaspersky Total Security (KTS) installed. Tried a lot of workarounds, including unblocking networks, ports, files and folders in KTS and installing and reinstalling the whole Subsystem about five times. Uninstalling KTS solved many of the network issues. I could finally install and update using apt-get and lxrun /update.

#640 #5

@cmgibbs
Copy link

cmgibbs commented Jul 19, 2016

I'm using AVG Internet security and even if I'm in the trusted network and I've disabled every option on AVG ("turn off firewall until next reboot", etc.) I can't get commands such as apt-get to connect to the internet, I just get a general permission denied error. Nslookup seems to work when I disable the firewall, but nothing else - however - if I uninstall AVG then everything works as it should. I can apt-get and the like without any issue; so it's some sort of issue with the AVG interaction. Any suggestions?

@ramonwirsch
Copy link

Avast Internet Security blocks internet as well. All connections seem to just hang forever. Avast's logs show no blocked traffic, deactivating the Firewall resolves this.

@azsde
Copy link

azsde commented Jul 28, 2016

Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade.

Uninstalling kaspersky works great, disabling it isn't enough.

@cartel0x27
Copy link

cartel0x27 commented Aug 3, 2016

+1 for broken with windows firewall. No way to create an outbound rule to allow. Disabling the firewall is not a solution.

My configuration is: outbound connections that do not match a rule are blocked.

@allquixotic
Copy link

Setting the adapter to Trusted in Bitdefender "works", but this can't be the long-term solution being proposed by Microsoft. There has to be some way to work with these vendors so that we can get WSL processes whitelisted by the firewall products so we don't have to disable a critical security feature to use basic networking in WSL.

@benhillis
Copy link
Member

benhillis commented Aug 3, 2016

@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process.

@ZatsuneNoMokou
Copy link

ZatsuneNoMokou commented Aug 3, 2016

I am using Avast Internet Security, the logs show that it is blocking "System" because no rules found

8d1d2f306fa7e2a6c975511e35c4aaa02

Could it be a problem of a unsigned file? (That's what that red message mean)

Can note that this Firewall blockage block the correct installation too

@cdmackie
Copy link

cdmackie commented Aug 3, 2016

@benhillis What is, or will there be. the right way to identify these processes in Windows Firewall?

@allanortiz
Copy link

I disable kaspersky firewall and windows firewall, and errors persists (No ping, apt-get with err connections, etc..). I need to remove Kaspersky?? :/

@mikeguidry
Copy link

Ben,

Is there a way to transform the data into "process information" that those third party firewalls could understand natively? It might be counter productive to ask them to add an entirely new type. I could be wrong long term as Linux processes, and Windows obviously could
Be treated very different...

Lol.. Windows defender is just as good as these firewalls these days. Most use Microsoft detours as their hooks as well.. Maybe not the major but the lower 90%... Oh well.

I think it could be relatively possibly to either in real time translate a connection to requesting attention from prior WSL firewalls either in real time or a linked list being updated? I'm not too sit considering it's closed source and I'm just observing from the outside in. I haven't had a chance to put pico processes under IDA pro.

Have a great week.
Mike

Sent from my iPhone

On Aug 3, 2016, at 12:20 PM, Ben Hillis notifications@github.com wrote:

@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@mikeguidry
Copy link

Technically it is an unsigned file ;) never before has there been a system polling both file types, and applications together like this.. So it's viewing ELF files (even if somehow getting a hash) as unsigned...

Sent from my iPhone

On Aug 3, 2016, at 1:36 PM, Zatsune No Mokou notifications@github.com wrote:

I am using Avast Internet Security, the logs show that it is blocking "System" because no rules found

Could it be a problem of a unsigned file? (That's what that red message mean)

Can note that this Firewall blockage block the correct installation too


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@degoya
Copy link

degoya commented Aug 3, 2016

@allanortiz : did you closed or just disabled Kaspersky?
you need to fully close Kaspersky to make it work. Shutting down the Protection for limited Time doesn't work. Also turning of all the firewall services inside of kaspersky won't help.
close Kaspersky and apt should work. no need to fully uninstall it

@allanortiz
Copy link

@degoya just disabled. Can't I work with bash shell having kaspersky activated?

@ZatsuneNoMokou
Copy link

@mikeguidry So, there's nothing to do with Avast to allow it? Or there's a rule to make it work?

@ramonwirsch
Copy link

For me, even global rules in Avast were not applied to WSL processes. But disabling the firewall sufficed for getting connections to work.

@ZatsuneNoMokou
Copy link

@ramonwirsch But keeping firewall disabled... xD

@ramonwirsch
Copy link

I know, i know... But I use it mainly to compile stuff and only need connectivity for updates or git pulls, so for me it is not too big of a Problem....

@ZatsuneNoMokou
Copy link

But I haven't tried yet, does ssh work with this issue?

@degoya
Copy link

degoya commented Aug 3, 2016

i think the only thing we could do is wait until all the 3rd party firewalls will update.
For Kaspersky there is already something in the works.

https://forum.kaspersky.com/index.php?s=662d01d349ad8497a83c6ea81871f05e&showtopic=354919

@ZatsuneNoMokou
Copy link

@degoya And you know is there's anything for Avast?

@degoya
Copy link

degoya commented Aug 3, 2016

@ZatsuneNoMokou : sorry, no idea if there is anything for avast in the works.

@therealkenc
Copy link
Collaborator

therealkenc commented Jan 30, 2018

Yep they want outgoing 53 open. And 80. And 443. Like this. Probably 22. Or pick your port poison.

The ask is because people have spent years in Docker and Cygwin. With Docker you can write firewall rules for Docker's IP address in Linux. With Cygwin you can whitelist wget because it is just a Windows binary. With WSL you cannot.

@vith
Copy link

vith commented Jan 30, 2018

There seems to be a general interest towards an "allow all" WSL processes setting in the firewall. I am curious to know where there is coming from. Is it because of DNS queries?

In my case it's because I block outbound network access in Windows Firewall by default, so I'm faced with two options:

  1. Change to an outbound default allow firewall setup in Windows Firewall
  2. Zero network access in WSL aka don't use WSL

Right now I just go with option 2.

Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now. I wouldn't bother with per-port rules for my use-case.

I'm sure others have different needs.

@therealkenc
Copy link
Collaborator

therealkenc commented Jan 31, 2018

Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now.

That is equivalent to option (1). Because WSL is Windows and anyone who has user privileges that allow them to call call socket() in a win32 executable (the thing you are presumably trying to prevent with your outgoing firewall rules) can call bash.exe -c thing_that_calls_socket instead.

That said, I have no doubt adding a "allow all pico processes" checkbox in Windows Firewall will make people happy anyway. So sure, why not.

@techexo
Copy link

techexo commented Jan 31, 2018

@therealkenc , good remark indeed. And I suppose there is no way of using iptables with WSL like you would on a classical UNIX system?

@therealkenc
Copy link
Collaborator

Yeah no iptables. Yet.

@aimlessadam
Copy link

Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting?

thanks!

@yonailo
Copy link

yonailo commented May 25, 2018

+1 to fix these issues with Kaspersky (still not supported on Kaspersky 11).

I have created a support request
https://forum.kaspersky.com/index.php?/topic/395624-support-for-windows-subsystem-for-linux-wsl/

@Tekki
Copy link

Tekki commented May 25, 2018

@yonailo I wonder what exactly doesn't work in your case. I've Kaspersky Internet Security installed and use WSL daily to fetch code from GitHub and to connect to my local and external servers without any problems.

@bbday
Copy link

bbday commented Jun 12, 2018

At the moment to work with Kaspersky AV you must go on settings > advanced > network > monitor port and disables 80/443

@Jacq
Copy link

Jacq commented Sep 18, 2018

Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade.

Uninstalling kaspersky works great, disabling it isn't enough.

Disabling works for me but it is not unblocked immediately, usually there is a delay of some seconds (less than a minute for sure).

@WillyShum
Copy link

I've got Avast Internet Security and I've tried disabling firewall and included a rule to allow WSL' ping directory full access. But I still cannot ping any thing on wsl ubuntu for windows 10

@dreadnautxbuddha
Copy link

I was having issues with my Vagrant on WSL wherein accessing an external API doesn't seem to finish. Checking the logs of the server where the API resides isn't showing anything since I really was not able to connect. Found out that BitDefender was the culprit. For now, I added my API's domain name in the exclusions and everything works fine now.

@Mizumaky
Copy link

Mizumaky commented Nov 4, 2018

First had a problem failing all connections, then only some, but still couldnt get to install gcc.
Finally solved by trying everything i could:

  • editing /etc/resolv.conf and leaving only line "nameserver 8.8.4.4."
  • looking at the port behind ip adresses of failed connections and trying disabling network protection for the specified port in the antivirus settings (solved only for most connections, not all, even on that port)
  • completely turning off Kaspersky Free anitivirus
  • changing from connection through my dormitory's internet to a wifi connection i shared from my phone
  • (trying apt-get update first)

I dunno if all or only some of this helped, but somehow i got apt-get install gcc to download the rest and work.

@Trass3r
Copy link

Trass3r commented Dec 12, 2018

Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting?

Yeah any updates?

@Tekki
Copy link

Tekki commented Dec 12, 2018

An update for Kaspersky: Getting worse with newer versions. Individual processes from WSL like apt-get or git appear in the program list, but even if they are trusted the connection is blocked. Disable controlling of port 80 and 443 (Settings--Additional--Network) solves most of the problems, but of course reduces the security of the system.

@sofsip
Copy link

sofsip commented Dec 17, 2018

I had the same issue with Zone Alarm Firewall. It seems to block traffic for WSL. Snoozing the firewall or antivirus doesn't work. it has to be stopped completely.

@Hameem1
Copy link

Hameem1 commented Jan 21, 2019

I'm trying to get a Flask app running via WSL and I can't open it from the browser via 127.0.0.1:5000. I have an Avast antivirus. I tried setting the adapters to private (trusted) and adding rules to allow for wsl.exe and bash.exe. I also added them to the exclusions list just to be sure, but it doesn't work. However, disabling the Avast firewall works but that isn't a real solution. Is there any fix to this by now? It's 2019!

@Tekki
Copy link

Tekki commented Jan 22, 2019

It's a misunderstanding to think the processes run inside WSL; they run directly on the Windows kernel. If you type for example

perl -E'for (1..60) { say $_; sleep 1 }'

into WSL and open the Windows Task Manager, you will see 'perl' for one minute on the list. This means not WSL or bash, but Perl, Python or whatever process you start needs to be trusted by the firewall. This is probably what the AV developers don't understand.
Of course it's shame that in 2019 these companies still take our money for their security products and are still not able to handle such a Windows feature.

@tingjhenjiang
Copy link

tingjhenjiang commented Jul 10, 2019

Now I'm using WSL 2 and avast internet security and the network connection are blocked by avast firewall. If I turn off avast firewall network connection works well. When firewall is on, even after I add
"C:\Windows\System32\lxss\wslhost.exe"
"C:\Windows\System32\bash.exe"
"C:\Windows\System32\wsl.exe"
"C:\Windows\System32\conhost.exe"
to new application rule ( all allowed, following https://support.avast.com/en-ww/article/Antivirus-Firewall-Application-Rules ), network connections are still blocked.

@uniibu
Copy link

uniibu commented Aug 28, 2019

@tingjhenjiang all you have to do is go to Settings -> Protection -> Firewall -> Check the Internet Connection Sharing Mode. You can now access the internet on WSL2 without disabling Avast Firewall.
image

@tingjhenjiang
Copy link

tingjhenjiang commented Sep 29, 2019

It is still worth noting that if I switch the option "For programs with no defined rules(i.e. programs not listed on the Application Rules page), do the following" from either "auto-decide" or "prompt" to "allow" in Avast firewall, the connection works well, though it is not what I'm expecting.

Take Apache2 as example, I checked process explorer, and noticed that the process "apache2" was running if I activate the apache2 service in WSL. However the process "bash" or "apache2" cannot be detected by avast firewall prompt(if user should allow this connection) function, so whenever apache2 runs, the connection are blocked by default.
If I establish a new rule for application "DRIVE:\bash\rootfs\usr\sbin\apache2", avast firewall would start to catch events logs where connection related to apache2 are blocked by avast(examples as as attached). I still have to make that rule to allow all connection so that I could successfully visit apache2 from local/localhost.

The final solution are as attached, where remote connections would be blocked by default and local connections would be allowed by default.
TMP

@denniswed
Copy link

I know this thread is a little old, but is still very relevant, especially with WSLv2. Symantec Endpoint Protection, specifically the "Network and Host Exploit Mitigation" is blocking traffic coming back from our proxy. It sees the target IP address as unknown because that IP address is internal to the workstation and being NAT'd through the virtual interface WSLv2 appears to use. If I convert my instance to WSLv1, I don't have any network problems. Interestingly, Docker Desktop containers, installed and running with WSLv2, do NOT have the same problem. They work just fine.

@dadeke
Copy link

dadeke commented Apr 26, 2022

Avast Real Site is causing this issue here.

Disable Real Site and all DNS resolutions working in WSLv2 .

Avast_Real_Site

How do I set an exclusion for Real Site?

I added dns://*.gh.neting.cc* but not working. 🤔

Copy link
Contributor

This issue has been automatically closed since it has not had any activity for the past year. If you're still experiencing this issue please re-file this as a new issue or feature request.

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests