WSL Networking and Windows Firewall
When Windows Firewall is configured to block outbound connections without a matching rule, it can prevent the WSL VM from accessing the network. You may need to add Hyper-V firewall rules to allow the traffic from the VM.
I recently installed Podman on Windows, but ran into a DNS error when attempting to start a container:
Trying to pull docker.io/library/hello-world:latest...
Error: initializing source docker://hello-world:latest: pinging container registry registry-1.docker.io:
Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution
Podman uses a WSL VM to run containers.
At first glance, this might seem like the typical WSL DNS resolution issue.
Some suggested workarounds include setting generateResolvConf
to false in /etc/wsl.conf
and manually configuring nameservers in /etc/resolv.conf
.
In this case, however, DNS is not the problem because remote hosts are also inaccessible by IP.
A capture on the WSL virtual network interface showed no packets, which indicates that a firewall may be blocking the traffic:
Windows 11 22H2 comes with Hyper-V firewall that filters traffic for containers.
If you installed WSL by running wsl --install
, the firewall is automatically enabled.
Run this PowerShell command to check the state of the Hyper-V firewall for WSL:
Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
Name : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Block
LoopbackEnabled : True
AllowHostPolicyMerge : True
The values for DefaultInboundAction
and DefaultOutboundAction
correspond to the ones for the active Windows Firewall profile:
Since there are no outbound Hyper-V firewall rules by default, everything is currently blocked.
Rules can be created with PowerShell. These commands will allow outbound DNS and HTTP traffic:
New-NetFirewallHyperVRule -DisplayName DNS -Protocol UDP -RemotePorts 53 -Direction Outbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
New-NetFirewallHyperVRule -DisplayName HTTP -Protocol TCP -RemotePorts 80,443 -Direction Outbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"