undefined | Better HN

0 pointsgerdesj5y ago0 comments

This sounds like working as designed and not a flaw. If your Linux box needs a firewall then put one on it. As the article says, the VM is using Hyper-V networking so it is likely that the connection is either bridged with a virty software switch or is NATted in some way but with a short cut through the host firewall. If the VM has an IP on your LAN it is bridged and if it doesn't and you don't have to fiddle with your internet router then NAT is in play.

Linux has lots of options for firewalling. For Windows sysadmins, firewalld with a GUI could be a reasonably familiar option. Failing that, ufw is quick and reasonably easy for simple use cases. If you are feeling macho, then roll your own with iptables or nftables. The last time I did that properly was with ipchains ...

0 comments

smarx0075y ago

I think the key idea is that Mullvad client changes firewall config on the fly to insert a 2nd highest prio rule "deny outgoing" allowing outgoing internet access only to itself until the VPN tunnel is established and then withdraws it automatically afterwards. So, a generic firewall advice is not applicable here as it's used in quite a specific way. If Microsoft does not fix the problem described in the blog post, I assume the easiest way would be to introduce some kind of daemon in a Windows client that a slave client tool installed in WSL env would have to connect to or the other way around to mirror a firewall config inside the Linux machine. And that will only work on recent versions, see https://github.com/microsoft/WSL/issues/4212#issue-459183662

UPD: I think it will be resolved in a much neater way soon https://github.com/microsoft/WSL/issues/4277#issuecomment-69...

gerdesjOP5y ago

I assume you mean this because I can't find any mention in the article about 2nd highest prio rules:

"How it leaks WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets in the same way normal packets are inspected. The forwarded (NATed) packets are seen in the lower layers of WFP (OSI layer 2) as Ethernet frames only. This type of leak can happen to any guest running under Windows Sandbox or Docker as well if they are configured to use Hyper-V for networking."

That is how virtual machines are supposed to work. Hyper-V is a virtualisation thing. Whatever Mullvad is doing is immaterial - they are only worrying about the host. If you use full on virty stuff, you need to treat each VM as a VM, not a container.

j / k navigate · click thread line to collapse