[AndrewDucker]

So, if I'm understanding correctly the Linux system gets access to the raw Ethernet system, and so bypasses the Windows firewall. Seems not entirely unreasonable - if you want Linux to use a firewall then install one into it.

But it should definitely be well publicised/documented, because otherwise people won't realise they have a gaping hole in their greens m defences.

[ajross]

Right, this is as much a feature as it is a bug. But it's absolutely something that should be documented and under control of the host-side security layer.

[logical_person]

vmswitch is configurable by the host. these VPN authors have no clue what they're doing, windows firewall rules should not in any case be applied to traffic coming from a VM. ridiculous.

[rbanffy]

> windows firewall rules should not in any case be applied to traffic coming from a VM

I can't agree with this. Everything is running on Windows. The VM runs on Windows and WSL exchanges data with Windows all the time. That the data on the Windows side can leak because I installed a Microsoft-approved product from the Microsoft store on a Windows box with a Microsoft firewall is unacceptable.

[xnyan]

Here’s the issue with your issue: if you are using WSL2 (or other various win10 configurations involving hyper-v), then windows is not running on bare metal anymore. In this scenario, windows is just another guest operating system subject to a hypervisor. Windows is a VM, and your in-VM firewall applies to the VM in which its running.

This is how you get real linux “on” windows - the on part is an illusion, trickery to make using linux transparent and integrated. By comparison, WSL1, which is still supported, is “just” (it’s actually pretty impressive in its own right) syscalls translated to the NT kernel.

Microsoft could do a better job communicating this, but I don’t think any of their design decisions are bad in this regard.

[yencabulator]

In which case it sounds like the Windows tools for configuring things should configure HyperV's networking too.

You know, just like the software inside the Windows VM can launch a separate Linux VM; you're already controlling HyperV from inside that VM.

[OJFord]

So this is also an issue (by which I mean something to be aware of, that I think most aren't) with Linux docker containers on Windows/macOS?

It makes perfect sense now you say it - I knew hyper-v was a hypervisor, I knew in basic broad strokes what a hypervisor is and where it sits, but for some reason this didn't occur to me.

It could be very alarming to people running containers 'on a Windows' server, but then such people are probably more familiar with hypervisors anyway.

Is hyper-v networking still somehow configurable from the 'host', or is it undesirable for containers unless you don't want to do anything to the network (in software on that machine)?

[im3w1l]

So WSL1 is reverse wine basically?

[pjmlp]

Nope, WSL 1 uses pico processes, a technology based on Drawbridge research.

https://www.microsoft.com/en-us/research/project/drawbridge/

https://docs.microsoft.com/en-us/archive/blogs/wsl/windows-s...

https://channel9.msdn.com/Blogs/Seth-Juarez/Windows-Subsyste...

It is a bit more advanced than Wine, with first class support from NT kernel.

Whereas WSL 2 uses Hyper-V, which is a type 1 hypervisor, all OSes run as guest, including Windows itself.

[apetresc]

Not _exactly_, but it's a pretty close analogy. Certainly moreso than WSL2 is.

[buran77]

As far as I know this is how Hyper-V worked since at least Windows 8(.1?). Installing the role would relegate the Windows OS to guest VM status, albeit with more privileges than any other VM.

Microsoft should make it more obvious since most Windows 10 users shouldn't be expected to make this distinction by themselves.

[zokier]

> Everything is running on Windows. The VM runs on Windows

As far as I understand, that is not quite right. With WSL2, everything is running on Hyper-V, the VM and Windows both run in parallel on Hyper-V.

[rbanffy]

Wow! Just installing WSL-2 makes such a fundamental change to how Windows itself runs?

[ahoka]

Enabling hyper-v does.

[andrewflnr]

> If you want Linux to use a firewall then install one into it

Granted, I don't know much about WSL, but that's a very surprising model to me. I would naively assume that anything in userspace is controlled by the Windows OS-level firewall, not that Linux gets to emit raw packets. To say the least, I'm a little more hesitant than you are to call that reasonable.

[smw]

As mentioned other places int the article, in the WSL2 model, Linux is running under a Hyper-V hypervisor, and isn't in user space.

[donor20]

Huh - you want linux distributions to have to play with the windows firewall rules? You want windows firewall getting messed up by linux containers?

These VPN authors are just idiots - let's stop over complicating things. Half the time people LIKE that they can use linux firewall features on their linux hosts for stuff.

[MiroF]

No, I'm pretty sure that is the exact opposite of what they are saying.

Maybe work on your reading comprehension?

[donor20]

Here is what they say is the "leak"

"How it leaks

WSL2 uses Hyper-V virtual networking and therein lies the problem. The Hyper-V Virtual Ethernet Adapter passes traffic to and from guests without letting the host’s firewall inspect the packets"

So they are complaining that the linux subsystem and distribution packets are not processed by the windows firewall. I don't know what to tell you, but the idea that the windows firewall should be in the mix on a fedora distro seems a bit rediculous?

[MiroF]

You didn't reply to the article directly, you replied to a comment on the article - one that was making the exact point that you are repeating.

[donor20]

I thought they were saying microsoft needs to document this third party software behavior. Definitely the VPN folks should document this.