-
Notifications
You must be signed in to change notification settings - Fork 832
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No internet with 3rd party AV/Firewall #475
Comments
I'm running on Norton 360 and everything seems to work so far. Was able to install and download stuff inside of Bash on Windows. The only problems I have are more related to the overall network implementation on Bash on Windows. Things such as ifconfig doesn't work or at least display the current IP address. Many NodeJS thing try to be dynamic and try to read the current IP Adress configuration. |
Im using windows firewall and am trying to figure out where this new subsystem relates to configuring it. I hope we figure it out.. I might play around and try some things.. |
Using Norton security works but using Microsoft firewall (Microsoft Defender) stops all internet access in bash I carn't access apache2 or anything with Microsoft firewall. |
I have BitDefender Endpoint Security (which apparently I cannot turn off, managed by ICT adminstrator) and it does not work.
|
Running AVG Internet Security (16.81.7640), and I am unable to get any network connectivity. |
I run my system where all outgoing connections are blocked until they are explicitly allowed, and a firewall rule is created, However, can't seem to find a way to allow pico processes through Windows Firewall as an exception when everything else is blocked. |
Faced a boat-load of problems installing and updating Lxss with Kaspersky Total Security (KTS) installed. Tried a lot of workarounds, including unblocking networks, ports, files and folders in KTS and installing and reinstalling the whole Subsystem about five times. Uninstalling KTS solved many of the network issues. I could finally install and update using |
I'm using AVG Internet security and even if I'm in the trusted network and I've disabled every option on AVG ("turn off firewall until next reboot", etc.) I can't get commands such as apt-get to connect to the internet, I just get a general permission denied error. Nslookup seems to work when I disable the firewall, but nothing else - however - if I uninstall AVG then everything works as it should. I can apt-get and the like without any issue; so it's some sort of issue with the AVG interaction. Any suggestions? |
Avast Internet Security blocks internet as well. All connections seem to just hang forever. Avast's logs show no blocked traffic, deactivating the Firewall resolves this. |
Kaspersky also blocks most of outgoing connections, especially when using apt-get update / upgrade. Uninstalling kaspersky works great, disabling it isn't enough. |
+1 for broken with windows firewall. No way to create an outbound rule to allow. Disabling the firewall is not a solution. My configuration is: outbound connections that do not match a rule are blocked. |
Setting the adapter to Trusted in Bitdefender "works", but this can't be the long-term solution being proposed by Microsoft. There has to be some way to work with these vendors so that we can get WSL processes whitelisted by the firewall products so we don't have to disable a critical security feature to use basic networking in WSL. |
@allquixotic You're right, this definitely isn't a long-term solution. Essentially the problem is that with WSL we've introduced a new type of process that these firewalls don't know how to handle. I've reached out to people at Kaspersky and will do the same for the Bitdefender folks so we can help them make the changes they'll need to enlighten their firewalls to our new type of process. |
@benhillis What is, or will there be. the right way to identify these processes in Windows Firewall? |
I disable kaspersky firewall and windows firewall, and errors persists (No ping, apt-get with err connections, etc..). I need to remove Kaspersky?? :/ |
Ben, Is there a way to transform the data into "process information" that those third party firewalls could understand natively? It might be counter productive to ask them to add an entirely new type. I could be wrong long term as Linux processes, and Windows obviously could Lol.. Windows defender is just as good as these firewalls these days. Most use Microsoft detours as their hooks as well.. Maybe not the major but the lower 90%... Oh well. I think it could be relatively possibly to either in real time translate a connection to requesting attention from prior WSL firewalls either in real time or a linked list being updated? I'm not too sit considering it's closed source and I'm just observing from the outside in. I haven't had a chance to put pico processes under IDA pro. Have a great week. Sent from my iPhone
|
Technically it is an unsigned file ;) never before has there been a system polling both file types, and applications together like this.. So it's viewing ELF files (even if somehow getting a hash) as unsigned... Sent from my iPhone
|
@allanortiz : did you closed or just disabled Kaspersky? |
@degoya just disabled. Can't I work with bash shell having kaspersky activated? |
@mikeguidry So, there's nothing to do with Avast to allow it? Or there's a rule to make it work? |
For me, even global rules in Avast were not applied to WSL processes. But disabling the firewall sufficed for getting connections to work. |
@ramonwirsch But keeping firewall disabled... xD |
I know, i know... But I use it mainly to compile stuff and only need connectivity for updates or git pulls, so for me it is not too big of a Problem.... |
But I haven't tried yet, does ssh work with this issue? |
i think the only thing we could do is wait until all the 3rd party firewalls will update. https://forum.kaspersky.com/index.php?s=662d01d349ad8497a83c6ea81871f05e&showtopic=354919 |
@degoya And you know is there's anything for Avast? |
@ZatsuneNoMokou : sorry, no idea if there is anything for avast in the works. |
Yep they want outgoing 53 open. And 80. And 443. Like this. Probably 22. Or pick your port poison. The ask is because people have spent years in Docker and Cygwin. With Docker you can write firewall rules for Docker's IP address in Linux. With Cygwin you can whitelist |
In my case it's because I block outbound network access in Windows Firewall by default, so I'm faced with two options:
Right now I just go with option 2. Given the option of letting WSL completely bypass Windows Firewall I would do that and use it for a few things that I use VMs for now. I wouldn't bother with per-port rules for my use-case. I'm sure others have different needs. |
That is equivalent to option (1). Because WSL is Windows and anyone who has user privileges that allow them to call call That said, I have no doubt adding a "allow all pico processes" checkbox in Windows Firewall will make people happy anyway. So sure, why not. |
@therealkenc , good remark indeed. And I suppose there is no way of using iptables with WSL like you would on a classical UNIX system? |
Yeah no iptables. Yet. |
Back towards the end of 2016, @russalex posted that the internal Windows Firewall team was being looped in; Have they recognized the problem with the native Windows Firewall and outbound whitelisting? thanks! |
+1 to fix these issues with Kaspersky (still not supported on Kaspersky 11). I have created a support request |
@yonailo I wonder what exactly doesn't work in your case. I've Kaspersky Internet Security installed and use WSL daily to fetch code from GitHub and to connect to my local and external servers without any problems. |
At the moment to work with Kaspersky AV you must go on settings > advanced > network > monitor port and disables 80/443 |
Disabling works for me but it is not unblocked immediately, usually there is a delay of some seconds (less than a minute for sure). |
I've got Avast Internet Security and I've tried disabling firewall and included a rule to allow WSL' ping directory full access. But I still cannot ping any thing on wsl ubuntu for windows 10 |
I was having issues with my Vagrant on WSL wherein accessing an external API doesn't seem to finish. Checking the logs of the server where the API resides isn't showing anything since I really was not able to connect. Found out that BitDefender was the culprit. For now, I added my API's domain name in the exclusions and everything works fine now. |
First had a problem failing all connections, then only some, but still couldnt get to install gcc.
I dunno if all or only some of this helped, but somehow i got apt-get install gcc to download the rest and work. |
Yeah any updates? |
An update for Kaspersky: Getting worse with newer versions. Individual processes from WSL like apt-get or git appear in the program list, but even if they are trusted the connection is blocked. Disable controlling of port 80 and 443 (Settings--Additional--Network) solves most of the problems, but of course reduces the security of the system. |
I had the same issue with Zone Alarm Firewall. It seems to block traffic for WSL. Snoozing the firewall or antivirus doesn't work. it has to be stopped completely. |
I'm trying to get a Flask app running via WSL and I can't open it from the browser via 127.0.0.1:5000. I have an Avast antivirus. I tried setting the adapters to private (trusted) and adding rules to allow for wsl.exe and bash.exe. I also added them to the exclusions list just to be sure, but it doesn't work. However, disabling the Avast firewall works but that isn't a real solution. Is there any fix to this by now? It's 2019! |
It's a misunderstanding to think the processes run inside WSL; they run directly on the Windows kernel. If you type for example
into WSL and open the Windows Task Manager, you will see 'perl' for one minute on the list. This means not WSL or bash, but Perl, Python or whatever process you start needs to be trusted by the firewall. This is probably what the AV developers don't understand. |
Now I'm using WSL 2 and avast internet security and the network connection are blocked by avast firewall. If I turn off avast firewall network connection works well. When firewall is on, even after I add |
@tingjhenjiang all you have to do is go to Settings -> Protection -> Firewall -> Check the Internet Connection Sharing Mode. You can now access the internet on WSL2 without disabling Avast Firewall. |
I know this thread is a little old, but is still very relevant, especially with WSLv2. Symantec Endpoint Protection, specifically the "Network and Host Exploit Mitigation" is blocking traffic coming back from our proxy. It sees the target IP address as unknown because that IP address is internal to the workstation and being NAT'd through the virtual interface WSLv2 appears to use. If I convert my instance to WSLv1, I don't have any network problems. Interestingly, Docker Desktop containers, installed and running with WSLv2, do NOT have the same problem. They work just fine. |
Avast Real Site is causing this issue here. Disable Real Site and all DNS resolutions working in WSLv2 . How do I set an exclusion for Real Site? I added |
This issue has been automatically closed since it has not had any activity for the past year. If you're still experiencing this issue please re-file this as a new issue or feature request. Thank you! |
Providing a place where people can report issues running 3rd party firewalls. For this, please report:
We do know from thread #5 that many people with Bitdefender have discovered turning off their firewall and / or setting their network adapter as Trusted (which basically turns off the firewall for that adapter) allows for network connectivity.
Goal of this thread is to help inform us which configurations have issues and help us document any potential workarounds as well as find any bugs / fixes we may need to address.
The text was updated successfully, but these errors were encountered: