Add symantec to the list of firewalls which blocks WSL

[felipecrs]

As stated on:

• No internet connectivity from WSL2/Ubuntu microsoft/WSL#4926 (comment)
• Curl failed by ping can succeeds on WSL2 microsoft/WSL#5382 (comment)

[opbld31]

Docs Build status updates of commit 5154f95:

✅ Validation status: passed

File	Status	Preview URL	Details
WSL/faq.md	✅Succeeded
WSL/troubleshooting.md	✅Succeeded

For more details, please refer to the build report.

Note: Broken links written as relative paths are included in the above build report. For broken links written as absolute paths or external URLs, see the broken link report.

For any questions, please:

• Try searching in the Docs contributor and Admin Guide
• See the frequently asked questions
• Post your question in the Docs support channel

[mattwojo]

Thanks for adding this @felipecrs! I just jumped on the chat for Symantec Endpoint Protection and asked them about this -- they pointed me to this doc that states:
"Added command-line scan support for the Windows Subsystem for Linux (WSL) processes. Dependent on SDS 1.12 or later."
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-MP1.html

I don't have a way to test... do you think this resolves the firewall issue? I'm going to merge your commit adding it to the list, but please let me know if you're able to test and show this being resolved by their update.
Thanks!
Matt

[felipecrs]

This is awesome news. I'll test it here. Sadly I don't have control over the updates in my SEP, but I'll let you know of any news.

[userABCD-ship-it]

@felipecrs & @mattwojo this does not appear to fix it.

We are running 14.3.3580.1100 and sudo apt update still times out on Ubuntu 20.04 in WSL2. As soon as I disable SEP it works.

[felipecrs]

I think your version is not new enough:

https://knowledge.broadcom.com/external/article/154575/versions-system-requirements-release-dat.html

Your build seems older than the one which was said as fixed.

[userABCD-ship-it]

Now running 14.3 RU2 and Windows 21H1 and this does not work.

"Allow IP traffic" is no longer a valid workaround either.

[charmicat]

Running 14.3 RU3, still not working, only disabling the Firewall will do (which I can't permanently, as it's my work computer).

this is their current advice:
https://knowledge.broadcom.com/external/article/221329/endpoint-protection-firewall-blocks-netw.html

[felipecrs]

They suggest a workaround which must be re-made on every reboot. That's a total shame. :)

[felipecrs]

I have a workaround though (and I have been using it for months now):

1. Set up the NAT (Network Address Translation) for WSL2. Run the following command in PowerShell as Admin:

   New-NetNat -Name "WSLNat" -InternalIPInterfaceAddressPrefix 100.109.0.0/24

2. Configure the DNS for the WSL Ubuntu distro. Run the following snippet in the Shell on Ubuntu:

   # Configure WSL to stop creating the /etc/resolv.conf automatically
   $ printf '%s\n' '[network]' 'generateResolvConf = false' | sudo tee /etc/wsl.conf
   
   # Remove the symlink so we can recreate the file
   $ sudo rm -f /etc/resolv.conf
   
   # Set the right DNS server, which will forward the requests to the Windows' interface
   $ printf '%s\n' 'nameserver 100.109.0.1' | sudo tee /etc/resolv.conf
   
   # Lock the file, so it can't be removed
   $ sudo chattr +i /etc/resolv.conf

3. Add the script which will check if a network fix is needed on every time you open a Shell on Ubuntu, and automatically apply it. Run the following snippet in the Shell on Ubuntu:

   sudo tee /etc/profile.d/fix_wsl_network.sh <<'EOM'
   #!/bin/sh
   
   if ! ping 100.109.0.1 -W0.2 -c1 >/dev/null 2>&1; then
     echo "Fixing WSL network..."
     wsl.exe -d "$WSL_DISTRO_NAME" -u root bash -c "ip a flush dev eth0; ip addr add 100.109.0.10/24 dev eth0; ip route add default via 100.109.0.1; ip link set dev eth0 mtu 1400"
     echo "Please accept the privilege escalation prompt in the screen"
     powershell.exe -NoLogo -NoProfile -Command 'Exit (Start-Process powershell.exe -Wait -WindowStyle "Hidden" -PassThru -Verb runAs -ArgumentList "-NoLogo","-NoProfile","-Command","netsh interface ip set address name='"'"'vEthernet (WSL)'"'"' static 100.109.0.1 255.255.255.0 none").ExitCode'
     echo "Finished fixing WSL network."
   fi
   EOM

4. Close the current Shell on Ubuntu and open a new one. This will trigger the script to fix the network. Then, test if the connection inside the WSL2 is working by trying to ping an address, such as GitHub. Run the following command inside of the Shell on Ubuntu:

   ping github.com -c3

[rabbagliettiandrea]

One thousand thanks man @felipecrs , thank you so much! It works like a charm. My very compliment for that clean and clever solution :) And thanks for the giveback

[felipecrs]

Not all the credits go to me, I'm not the original author of the workaround (and unfortunately, I also don't know him). What I did was some enhancements on top of it to make it automatic and to wrap everything as a guide.

But I'm glad it helped you!

[dodyagung]

@felipecrs I have followed your suggestion, but now my WSL can't connect to internet anymore. It said :
ping: github.com: Temporary failure in name resolution
What should I do?

[felipecrs]

You said anymore. Does it mean it was working before?

[dodyagung]

You said anymore. Does it mean it was working before?

Yes, on several case (pinging google, ubuntu.com, etc) it works.
But blocked when npm install and apt update (blocked by SEP, disabling SEP firewall will open it)

[felipecrs]

Weird. In my situation it wasn't partially working, it was entirely blocked.

What happens if you invoke the script manually?

Try:

source /etc/profile.d/fix_wsl_network.sh

Are you using ZSH?

[dodyagung]

source /etc/profile.d/fix_wsl_network.sh

Yup, I using ZSH.
I run source /etc/profile.d/fix_wsl_network.sh and thanks it's works as before (ping ok, but not npm install/apt update) with administrator elevation popup. Full access was not opened yet, still partial.

anyway, thanks for your workaround.

[felipecrs]

If you use ZSH, it does not source the scripts in /etc/profile.d automatically as bash does. Try adding source /etc/profile.d/fix_wsl_network.sh to one of your ZSH initialization scripts, like .zshrc.

[nachorvd02]

I have used your workaround and it didn't hel anything, i my case I use a sh shell with ubuntu in my WSL 2 and before running your workaround I was able of using ping but I wasnt able of truly connecting and now it says:
ping: github.com: Temporary failure in name resolution
I tried to run source /etc/profile.d/fix_wsl_network.sh and then ping but I've got the same result.Now I am not able of doing anything, can you help me?

[felipecrs]

I no longer use nor recommend such workaround. But you can simply undo it:

sudo chattr -i /etc/resolv.conf

sudo rm -f /etc/resolv.conf

sudo rm -f /etc/wsl.conf

wsl.exe --shutdown

This should be enough.