Endpoint Security Firewall blocks certain network traffic from WSL2/Docker instances
Last Modified: 2023-03-21 10:03:02 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Endpoint Security Firewall blocks certain network traffic from WSL2/Docker instances
Technical Articles ID:
KB94601
Last Modified: 2023-03-21 10:03:02 Etc/GMT Environment
Endpoint Security (ENS) Firewall 10.x
Problem
ENS Firewall blocks some network traffic from WSL2 or Docker instances. From the WSL2 console, when you execute Output results: The ENS Event: Traffic IP Address: 172.19.111.65 Description: HOST PROCESS FOR WINDOWS SERVICES Path: C:\Windows\System32\svchost.exe Message: Blocked Incoming UDP - Source 172.19.111.65 : (39171) Destination 172.19.96.1 : dns (53) Matched Rule: Block all traffic Cause
WSL2 and Docker create a virtual network adapter through which all network traffic flows. From the ENS Firewall point of view, this adapter receives incoming traffic from the WSL2/Docker instance and the default firewall rules block most of the incoming traffic on several ports.
Solution
Create firewall rules to allow incoming traffic on the required local ports so that the default firewall rules don't block the traffic from the WSL2/Docker instance. Examples are provided below, but aren't limited to these details. Create/modify the firewall rules for the environment as needed. Review the ENS Sample firewall rules to allow traffic from WSL2/Docker instances: Example #1:
Rule Action: Allow Direction: In Connection type: All types (Wired,Wireless,Virtual) Protocol: UDP/IPv4, UDP/IPv6 Local port: 53 Example #2: Rule Action: Allow Direction: In Connection type: All types (Wired,Wireless,Virtual) Protocol: TCP/IPv4, TCP/IPv6 Local port: 21 Example #3: Rule Action: Allow Direction: In Connection type: All types (Wired,Wireless,Virtual) Protocol: TCP/IPv4, TCP/IPv6 Local port: 80, 443 Affected ProductsLanguages:This article is available in the following languages: |
|