Starting from X410 version 3.0.0, X410 has a built-in feature that automatically blocks external TCP connections and only allows TCP connections from WSL2. Hence, you no longer have to set up separate inbound rules as described below; you simply need to enable the new WSL2 option in X410 and have your computer securely protected.
Unlike WSL (Windows Subsystem for Linux) version 1, WSL version 2 (WSL2) has its own isolated network and you cannot readily connect back to X410 running in Windows via TCP/IP connections; Windows Defender Firewall blocks such connections for security reasons.
In order to use X410 with those Linux GUI apps running in WSL2, you must enable 'Public Access' option in X410 and allow its inbound public access in Windows Defender Firewall. However, when you grant that public access for X410 in Windows Defender Firewall, any app can forward its GUI output to your X410 even if it's running in a different computer. The following guide shows the steps to prevent such unsolicited connections by adding an inbound rule to Windows Defender Firewall.
Before adding a firewall inbound rule for protecting X410, you should first make your X410 work with Linux GUI apps running in WSL2. The following post outlines those steps for setting up X410 and WSL2:
Once you have Linux GUI apps running in WSL2 working with X410, check the DISPLAY environment variable in WSL2. Its IP address should be in between 172.16.0.0 and 172.31.255.255; a dedicated IP address range for local private network environments. WSL2 as well as Hyper-V virtual machines seem to be using IP addresses in this range.
If your DISPLAY environment variable is pointing to an address in a different IP address range, the following steps will *NOT* work; you need to make adjustments according to your DISPLAY environment variable.
Do you remember the 'Windows Security Alert' popup window while setting up X410 for WSL2? You must select the 'Public networks...' option in that popup window; Linux GUI apps running in WSL2 cannot connect back to X410 running in Windows if that option is not enabled.
When you enable that option, Windows automatically adds two inbound rules in its Windows Defender Firewall; they're named as 'x410' (lower-case 'x').
Before adding our own rule that only allows connections from WSL2, you need to disable those two rules; those two rules allow connections from any computer. Please note that you need to 'disable' them instead of deleting; if you delete them, Windows again shows the security alert popup window the next time you start X410.
Once you disable those two rules, you'll get "can't open display", "connection timed out" or similar errors from locally running Linux GUI apps in WSL2 as well as remotely running apps in separate computers. We'll be adding a new rule in the next step for fixing those errors.
We now need to add a 'Custom' inbound rule in Windows Defender Firewall. The following screenshots show the steps for adding this rule. You can use all the default settings preselected by Windows Defender Firewall except for the Step 3.4 (Scope) where you need to enter an allowed IP range.
3.1 Rule Type
3.2 Program
Windows Defender Firewall doesn't seem to support setting an IP range if a specific program is selected. Also, since X410 is a Microsoft Store app, you shouldn't actually try to access its executable; Windows purposefully hides Microsoft Store app installation folders in order to improve Windows security as well as its app update process.
Anyhow, this shouldn't be of any problem for our needs as our new rule only allows connections from WSL2 to any publicly opened app running in Windows such as X410 with its 'Public Access' option enabled.
3.3 Protocols and Ports
3.4 Scope
In this step, instead of using the default settings, you need to specify local IP addresses for WSL2. As mentioned above, Windows seems to be using IP addresses between 172.16.0.0 and 172.31.255.255 for WSL2 and Hyper-V virtual machines. You can use a shortened notation of those IP addresses, i.e., "172.16.0.0/12" for this option.
3.5 Action
3.6 Profile
3.7 Name
You can enter any name for this option. We used "X410 Public Access for WSL2 Only" for our new rule.
3.8 Done!
As mentioned in Step 3.2, this newly added rule is not only applied to X410 but also applied to all other publicly opened apps running in Windows. So, if you want to protect an app that needs to be connected from WSL2, you can now simply disable its Windows Defender Firewall public access rules; you should be able to find such rules similar to the ones shown in Step 2 for X410.