Skip to main content

WSL Networking and Windows Firewall

· 2 min read

When Windows Firewall is configured to block outbound connections without a matching rule, it can prevent the WSL VM from accessing the network. You may need to add Hyper-V firewall rules to allow the traffic from the VM.


I recently installed Podman on Windows, but ran into a DNS error when attempting to start a container:

Trying to pull docker.io/library/hello-world:latest...
Error: initializing source docker://hello-world:latest: pinging container registry registry-1.docker.io:
Get "https://registry-1.docker.io/v2/": dial tcp: lookup registry-1.docker.io: Temporary failure in name resolution

Podman uses a WSL VM to run containers. At first glance, this might seem like the typical WSL DNS resolution issue. Some suggested workarounds include setting generateResolvConf to false in /etc/wsl.conf and manually configuring nameservers in /etc/resolv.conf. In this case, however, DNS is not the problem because remote hosts are also inaccessible by IP.

A capture on the WSL virtual network interface showed no packets, which indicates that a firewall may be blocking the traffic:

Empty packet capture

Windows 11 22H2 comes with Hyper-V firewall that filters traffic for containers. If you installed WSL by running wsl --install, the firewall is automatically enabled.

Run this PowerShell command to check the state of the Hyper-V firewall for WSL:

Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
Name                  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Block
LoopbackEnabled : True
AllowHostPolicyMerge : True

The values for DefaultInboundAction and DefaultOutboundAction correspond to the ones for the active Windows Firewall profile:

Windows Firewall profile

Since there are no outbound Hyper-V firewall rules by default, everything is currently blocked.

Rules can be created with PowerShell. These commands will allow outbound DNS and HTTP traffic:

New-NetFirewallHyperVRule -DisplayName DNS -Protocol UDP -RemotePorts 53 -Direction Outbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
New-NetFirewallHyperVRule -DisplayName HTTP -Protocol TCP -RemotePorts 80,443 -Direction Outbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"