For some strange reason, my WSL2 firewall rules have no effect on WSL2 VMs, but this is not the case for WSL version 1 VMs.. I guess this has to do with how the networking is implemented in V2? (Hyper-V stuff?)
So, anyone else also experiencing this? If so, is it possible to capture WSL2 VMs traffics in my WFP driver, and for example block WSL2 VMs from sending packets? Shouldn't wsl.exe send these packets?
And why is windows Firewall blind to WSL2 VMs unlike WSL1, and my block all outgoing rules do not work with it? Is this a backdoor by Microsoft or what?
What about just filtering the entire WSL2 packets? For example blocking outgoing connections on port 22 for any WSL2 VM?
Which WFP layers see this packet? any layer that also gives application info, so I can say that for example wsl.exe (or whatever else) is sending outgoing to port 22, I would block it? This was possible with WSL1.
Also isn't it strange that WSL2 VMs also bypass Windows Firewall rules? This doesn't make any sense. I understand that it wouldn't work for application based rules, but what about rules that block every outgoing packet?!
Many companies for example have a Windows Firewall rule that blocks outgoing connections except whitelist, this just straight up bypasses everything, what the hell?
There can't be any application-specific filtering for WSL2 (or any other Hyper V VMs) because the Windows kernel knows nothing about processes in the other OS kernel. The VM only sees the network adapter. How about using the built-in Linux firewall?
Windows firewall uses WFP ALE and can't process connections outside ot the default TCP/IP stack. I've mentioned HyperV firewall above.
So considering these packets do appear in the NDIS LWF drivers and also the WFP layer 2 and 3, anyway to detect if a certain packet is for WSL2 VM or not?