Limit Firewall Rules to WSL and Hyper-V Interfaces

[straysheep-dev]

I couldn't find anything in older issues or current discussions, so I opened this both for reference and to see if this has been considered or is being worked on - It may be ideal to limit inbound connections to just the virtual interfaces (in other words, only from the host itself and no other devices on the LAN) by default:

• vEthernet (WSL (Hyper-V firewall))
• vEthernet (Default Switch)

The issue I've run into is the identifiers for these interfaces appear to be "regenerated" and are considered unique on every reboot to Windows firewall even though they always have the same interface names.

The best solution for me has been using an ssh reverse tunnel mentioned in discussions/613. This allows you to maintain locked down firewall rules and still use usbipd. I put this into a generic function for reference, but I'm curious if this has been considered as a built in way of connecting to WSL. I originally wrote the function to check for and create temporary ssh keys, and setup sshd on WSL automatically. But maybe there's a better way to do this entirely in C# without calling Windows binaries like ssh-keygen or relying on wsl.exe commands.

Another solution is to use a PowerShell script to remove the current inbound rule for usbipd, then enumerate the interface names, effectively placing their current indentifier into a variable, to apply a firewall rule dynamically on every startup (and as often as needed) using a scheduled task. The key is using the -InterfaceAlias argument to limit connecitons to only the WSL and Hyper-V interfaces, and not the host's LAN or WiFi interfaces. For this, I'm not sure if this is something that could be done in Server.wxs since the rule needs to be continually "refreshed".

I also don't know the actual attack surface of having usbipd exposed to the LAN - it's just my assumption it's better to not have it reachable by anything but the host computer by default.

[dorssel]

Related: #249

[straysheep-dev]

That's my fault for missing this one, thanks again for the reply + related issue. 👍