xdebug from WSL2 to Windows blocked by Windows Defender

[sboden]

Windows Version

Microsoft Windows [Version 10.0.19045.3930]

WSL Version

0.0.0.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.10.102.1

Distro Version

Ubuntu-20.04

Other Software

Windows Defender

Repro Steps

I'm trying to debug PHP using xdebug where PhpStorm is running on Windows and my web application is running on WSL2.

When I disable the WSL interface for Windows Defender by running on Windows following command in an elevated cmd:

powershell -Command "Set-NetFirewallProfile -Profile Public -DisabledInterfaceAliases 'vEthernet (WSL)'"

I can do from within WSL2:

telnet 172.23.208.1 9003

And this gets me connected to PHPStorm, port 9003 is the port I use for PHPStorm xdebugging, 172.23.208.1 is the IP address of the vEthernet (WSL) from ipconfig /all on Windows. Extract like this:

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   IPv4 Address. . . . . . . . . . . : 172.23.208.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0

This way xdebug works, but when I open Windows Security there's a warning (and button) under Firewall stating "Restore Settings", and apparently that also flags somewhere on a company security board.

When I "Restore settings" and try the same telnet 172.23.208.1 9003 from within WSL2, the command hangs and does not connect to PhpStorm.

So I tried to open the 9003 port with a firewall rule keeping the WSL interface enabled... For the moment I tried from an elevated powershell:

New-NetFirewallRule -DisplayName "Test 9003" -InterfaceAlias "vEthernet (WSL)" -Direction Inbound -Protocol TCP -LocalPort 9003 -Action Allow

and

New-NetFirewallRule -DisplayName "WSL Inbound" -Direction Inbound   -InterfaceAlias "vEthernet (WSL)"  -Action Allow

I also tried making a firewall rule for the PhpStorm application using the advanced settings of Window Defender. I have no "block" rules.

But all fail to give the same result as disabling the WSL interface.

Expected Behavior

A way to debug a web application from WSL2 to Windows PhpStorm on port 9003 without triggering a Window Security alert.
A way to poke a hole in the firewall that works.

Actual Behavior

Keeping the WSL Interface enabled in Window Defender with firewall rules to allow port 9003 does not work. Or I don't find the proper command to make it work.

Diagnostic Logs

No response

[github-actions]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• Windows Defender Firewall blocks access from WSL2 (#4139), similarity score: 0.79
• Windows Defender for Linux in WSL2? (#10644), similarity score: 0.72

Closed similar issues:

• WSL and Windows Defender (#3435), similarity score: 0.75
• WSL2 Is bypassing windows firewall rules. (#10569), similarity score: 0.72
• wsl can't access win10, setting inbound, due to windows defender intercept (#6756), similarity score: 0.72

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

[chanpreetdhanjal]

Hi. Can you please collect networking logs by following the instructions below?
https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#collect-wsl-logs-for-networking-issues

[sboden]

Not_working_WslNetworkingLogs-2024-02-15_16-51-04.zip
Working_WslNetworkingLogs-2024-02-15_16-49-14.zip

The "Not_working" is after I pressed "Restore settings" in Windows Security, so all firewall interfaces are up and I don't get a connection. The "Working" is when I disabled the WSL interface in Defender, and I do get a connection.

In both instances I did a "telnet 172.25.96.1 9003" from within WSL2. PhpStorm is listening on port 9003 on the Windows side.

[CatalinFetoiu]

thanks for attaching the logs and sorry for the delay following up on this

in the "not working" logs I did not see the rules you mentioned you added ("Test 9003" and "WSL Inbound"). I also did not see WFP filters associated with those (rules get translated to filters and the filters are the ones that end up allowing/blocking traffic)

can you try adding either of those rules again and confirm they show up in the output of "Get-NetFirewallRule -PolicyStore ActiveStore" ?

[sboden]

In the meantime I fixed it, but I forget the exact details.

My laptop is part of company AD, I was browsing through gpedit.msc and found a policy that prohibits firewall changes, I configure that and afterwards the original solution of allowing an extra port through the firewall worked.

But I don't seem to find that entry anymore right now.

[CatalinFetoiu]

thanks for following up, glad to hear it got resolved

I am closing the issue

[blacktek]

Hello,
I've the exact same issue and I was not able to solve it.

I've docker installed in WSL2 (but I think that this doesn't matter). From WSL (IP 192.168.193.81) I cannot telnet port 9003 on the host (IP 192.168.192.1) while the Windows Defender public profile protection is enabled.

From the elevator powershell I created the rules supposed to work, but no luck

PowerShell 7.4.6
PS C:\Users\pc> New-NetFirewallRule -DisplayName "WSL Allow port 9003" -InterfaceAlias "vEthernet (WSL)" -Direction Inbound -Protocol TCP -LocalPort 9003 -Action Allow

Name : {73cd0d51-b5a3-460e-a8c8-a845c34f9d95}
DisplayName : WSL Allow port 9003
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : Analisi della regola nell'archivio completata. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses :
PolicyAppId :

PS C:\Users\pc> New-NetFirewallRule -DisplayName "WSL Inbound" -Direction Inbound -InterfaceAlias "vEthernet (WSL)" -Action Allow

Name : {b73ce6f4-3a28-4a43-b5b3-ad09be85c205}
DisplayName : WSL Inbound
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : Analisi della regola nell'archivio completata. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses :
PolicyAppId :

PS C:\Users\pc>

In the Windows Defefenders logs I see

PS C:\Users\pc> tail -f C:\Users\pc\Desktop\temp\pfirewall.log
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2024-11-14 19:47:59 DROP TCP 192.168.193.81 192.168.192.1 55004 9003 60 S 3248284387 0 64240 - - - RECEIVE
2024-11-14 19:48:00 DROP TCP 192.168.193.81 192.168.192.1 55004 9003 60 S 3248284387 0 64240 - - - RECEIVE

I've attached the firewall rules in my system
public_profile_defneder_rules.txt

can you help?