I am trying to lock down WSL2 in my environment. I am not able to use the tools in Intune to manage WSL2 because I am not on Windows 11. So, I created a script to pull the IP of the WSL2 Interface and then a separate script to run that creates firewall rules to block all inbound and outbound.
I know that Ubuntu pulls from
$allowedSites = @("archive.ubuntu.com","security.ubuntu.com","ppa.launchpadcontent.net")But even though these sites are whitelisted my WSL2 instance cant seem to pull updates from these servies.
Here is the full script for the firewall rules.
# Define the path to the persistent log file$FilePath = "$env:USERPROFILE\wsl_ip.log"$logFilePath = $FilePath -replace "\.ad", ""Write-Host "Modified path: $logFilePath"# Define the allowed sites for Ubuntu updates$allowedSites = @("archive.ubuntu.com","security.ubuntu.com","ppa.launchpadcontent.net")# Function to create firewall rulefunction Create-FirewallRule { param( [string]$ipAddress, [string[]]$allowedSites ) # Create a rule to block all inbound traffic for the IP address New-NetFirewallRule -DisplayName "Block all inbound traffic for WSL IP" ` -Direction Inbound ` -RemoteAddress $ipAddress ` -Action Block ` -Profile Any ` -Description "Blocks all inbound traffic for WSL IP except for allowed sites" # Create a rule to block all outbound traffic for the IP address New-NetFirewallRule -DisplayName "Block all outbound traffic for WSL IP" ` -Direction Outbound ` -RemoteAddress $ipAddress ` -Action Block ` -Profile Any ` -Description "Blocks all outbound traffic for WSL IP except for allowed sites" # Allow outbound traffic to specific sites for Ubuntu updates foreach ($site in $allowedSites) { New-NetFirewallRule -DisplayName "Allow outbound traffic to $site" ` -Direction Outbound ` -RemoteAddress $ipAddress ` -RemotePort 80, 443, 21, 53 ` -Protocol TCP ` -Action Allow ` -Profile Any ` -Description "Allows outbound traffic to $site" } # Allow inbound traffic from specific sites for Ubuntu updates foreach ($site in $allowedSites) { New-NetFirewallRule -DisplayName "Allow inbound traffic from $site" ` -Direction Inbound ` -RemoteAddress $ipAddress ` -RemotePort 80, 443, 21, 53 ` -Protocol TCP ` -Action Allow ` -Profile Any ` -Description "Allows inbound traffic from $site" }}# Read the log file and search for the line containing the IP address$searchPattern = "ip addr:"$ipLine = Select-String -Path $logFilePath -Pattern $searchPattern | Select-Object -First 1# Check if a line was foundif ($ipLine) { # Extract the IP address from the line $ipLineText = $ipLine.Line # Adjust the extraction based on the actual format of the line $ipAddress = $ipLineText -replace ".*ip addr:\s*", "" Write-Host "Found IP address: $ipAddress" # Create the firewall rule using the extracted IP address Create-FirewallRule -ipAddress $ipAddress -allowedSites $allowedSites} else { Write-Host "No line containing IP address found in the log file." # Print all .log files in the log file path Write-Host "Listing all .log files in the log file path:" Get-ChildItem -Path $logFilePath | Where-Object { $_.Extension -eq ".log" } | ForEach-Object { Write-Host "File: $_.Name" # Print the contents of the .log file Write-Host "Contents of $_.Name:" Get-Content $_.FullName | ForEach-Object { Write-Host $_ } Write-Host "End of contents of $_.Name" }}I try to update with these firewall rules and get a name failure
Ign:1 https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu jammy InReleaseIgn:2 http://archive.ubuntu.com/ubuntu jammy InReleaseIgn:3 http://security.ubuntu.com/ubuntu jammy-security InReleaseIgn:4 http://archive.ubuntu.com/ubuntu jammy-updates InReleaseIgn:3 http://security.ubuntu.com/ubuntu jammy-security InReleaseIgn:1 https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu jammy InReleaseIgn:5 http://archive.ubuntu.com/ubuntu jammy-backports InReleaseIgn:3 http://security.ubuntu.com/ubuntu jammy-security InReleaseIgn:1 https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu jammy InReleaseIgn:2 http://archive.ubuntu.com/ubuntu jammy InReleaseErr:3 http://security.ubuntu.com/ubuntu jammy-security InRelease Temporary failure resolving 'security.ubuntu.com'Err:1 https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu jammy InRelease Temporary failure resolving 'ppa.launchpadcontent.net'Ign:4 http://archive.ubuntu.com/ubuntu jammy-updates InReleaseIgn:5 http://archive.ubuntu.com/ubuntu jammy-backports InReleaseIgn:2 http://archive.ubuntu.com/ubuntu jammy InReleaseIgn:4 http://archive.ubuntu.com/ubuntu jammy-updates InReleaseIgn:5 http://archive.ubuntu.com/ubuntu jammy-backports InReleaseErr:2 http://archive.ubuntu.com/ubuntu jammy InRelease Temporary failure resolving 'archive.ubuntu.com'Err:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease Temporary failure resolving 'archive.ubuntu.com'Err:5 http://archive.ubuntu.com/ubuntu jammy-backports InRelease Temporary failure resolving 'archive.ubuntu.com'Reading package lists... DoneBuilding dependency tree... DoneReading state information... Done3 packages can be upgraded. Run 'apt list --upgradable' to see them.W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease Temporary failure resolving 'archive.ubuntu.com'W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease Temporary failure resolving 'archive.ubuntu.com'W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease Temporary failure resolving 'archive.ubuntu.com'W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease Temporary failure resolving 'security.ubuntu.com'W: Failed to fetch https://ppa.launchpadcontent.net/deadsnakes/ppa/ubuntu/dists/jammy/InRelease Temporary failure resolving 'ppa.launchpadcontent.net'W: Some index files failed to download. They have been ignored, or old ones used instead.But once I remove the rules it works fine so I think I'm just configuring the rules wrong. I think I am setting up the rules to just block traffic to wsl2 which isn't my intention.
I want to setup these rules on the specific interface wsl2 is using.