Auditd & Firewalld are disabled on WSL2

[K4Z4R]

Windows Version

Microsoft Windows [version 10.0.22631.5335]

WSL Version

2.4.13.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.167.4-1

Distro Version

AlmaLinux release 9.6 (Sage Margay)

Other Software

auditctl (auditd) version 3.1.5
firewalld

Repro Steps

auditd :

I run the command "systemctl start auditd" and "systemctl status auditd" .

firewalld :

I run the command "systemctl start firewalld " and "systemctl status firewalld " .

Expected Behavior

I'm expected to see in the service information "Active : active".

Actual Behavior

Auditd :

× auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2025-06-03 13:14:21 CEST; 3min 59s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 230 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)

Jun 03 13:14:21 LAPTOP-K2INL896 systemd[1]: auditd.service: Scheduled restart job, restart counter is at 5.
Jun 03 13:14:21 LAPTOP-K2INL896 systemd[1]: Stopped Security Auditing Service.
Jun 03 13:14:21 LAPTOP-K2INL896 systemd[1]: auditd.service: Start request repeated too quickly.
Jun 03 13:14:21 LAPTOP-K2INL896 systemd[1]: auditd.service: Failed with result 'exit-code'.
Jun 03 13:14:21 LAPTOP-K2INL896 systemd[1]: Failed to start Security Auditing Service.

Firewalld :

○ firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
Active: inactive (dead) since Tue 2025-06-03 13:18:33 CEST; 8min ago
Duration: 1.242s
Docs: man:firewalld(1)
Main PID: 656 (code=exited, status=0/SUCCESS)

Jun 03 13:18:32 LAPTOP-K2INL896 systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 03 13:18:33 LAPTOP-K2INL896 firewalld[656]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.10 (nf_tables):
line 2: TABLE_ADD failed (Operation not supported): table broute
line 2: CHAIN_USER_ADD failed (No such file or directory): chain BROUTING_direct
line 3: TABLE_ADD failed (Operation not supported): table broute
line 3: CHAIN_ADD failed (No such file or directory): chain BROUTING
line 3: RULE_INSERT failed (No such file or directory): rule in chain BROUTING
line 4: TABLE_ADD failed (Operation not supported): table broute
line 4: RULE_INSERT failed (No such file or directory): rule in chain BROUTING_direct
line 4: RULE_APPEND failed (No such file or directory): rule in chain BROUTING_direct
Jun 03 13:18:33 LAPTOP-K2INL896 firewalld[656]: ERROR: Failed to load user configuration. Falling back to full stock configuration.
Jun 03 13:18:33 LAPTOP-K2INL896 firewalld[656]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

                                            JSON blob:
                                            {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "fire>

Jun 03 13:18:33 LAPTOP-K2INL896 firewalld[656]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.10 (nf_tables):
line 2: TABLE_ADD failed (Operation not supported): table broute
line 2: CHAIN_USER_ADD failed (No such file or directory): chain BROUTING_direct
line 3: TABLE_ADD failed (Operation not supported): table broute
line 3: CHAIN_ADD failed (No such file or directory): chain BROUTING
line 3: RULE_INSERT failed (No such file or directory): rule in chain BROUTING
line 4: TABLE_ADD failed (Operation not supported): table broute
line 4: RULE_INSERT failed (No such file or directory): rule in chain BROUTING_direct
line 4: RULE_APPEND failed (No such file or directory): rule in chain BROUTING_direct
Jun 03 13:18:33 LAPTOP-K2INL896 firewalld[656]: Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/firewall/core/fw.py", line 659, in start
self._start()
File "/usr/lib/python3.9/site-packages/firewall/core/fw.py", line 623, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload)
File "/usr/lib/python3.9/site-packages/firewall/core/fw.py", line 541, in _start_apply_objects
transaction.execute(True)
File "/usr/lib/python3.9/site-packages/firewall/core/fw_transaction.py", line 161, in execute
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-rest>
line 2: TABLE_ADD failed (Operation not supported): table broute
line 2: CHAIN_USER_ADD failed (No such file or directory): chain BROUTING_direct
line 3: TABLE_ADD failed (Operation not supported): table broute
line 3: CHAIN_ADD failed (No such file or directory): chain BROUTING

Journalctl :

audit dispatcher initialized with q_depth=2000 and 1 active plugins
Jun 03 13:14:21 LAPTOP-K2INL896 auditd[207]: Error sending status request (Operation not permitted)
Jun 03 13:14:21 LAPTOP-K2INL896 auditd[207]: Error sending enable request (Operation not permitted)
Jun 03 13:14:21 LAPTOP-K2INL896 auditd[207]: Unable to set initial audit startup state to 'enable', exiting
Jun 03 13:14:21 LAPTOP-K2INL896 sedispatch[209]: sedispatch is exiting on stop request
Jun 03 13:14:21 LAPTOP-K2INL896 auditd[207]: The audit daemon is exiting.
Jun 03 13:14:21 LAPTOP-K2INL896 auditd[207]: Error setting audit daemon pid (Operation not permitted)
Jun 03 13:14:21 LAPTOP-K2INL896 auditd[204]: Cannot daemonize (Success)

[github-actions]

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'.
Otherwise please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs

Download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:

Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1

The script will output the path of the log file once done.

If this is a networking issue, please use collect-networking-logs.ps1, following the instructions here

Once completed please upload the output files to this Github issue.

Click here for more info on logging
If you choose to email these logs instead of attaching to the bug, please send them to wsl-gh-logs@microsoft.com with the number of the github issue in the subject, and in the message a link to your comment in the github issue and reply with '/emailed-logs'.

[K4Z4R]

I submit my WSL logs.

WslLogs-2025-06-03_13-35-34.zip

[github-actions]

The log file doesn't contain any WSL traces. Please make sure that you reproduced the issue while the log collection was running.

Diagnostic information

.wslconfig found
Detected appx version: 2.5.7.0
Found no WSL traces in the logs

[sirredbeard]

Can I ask why you are running auditd and firewalld?

[K4Z4R]

Hi @sirredbeard,

I'm currently working on a secure WSL distribution project, and I need to implement a logging audit system. From my research, auditd seems to be the most user-friendly and suitable for this purpose.

Additionally, I require a service to manage firewall rules within the distribution, and firewalld appears to be a good fit.

My question is : is it possible to use both auditd and firewalld concurrently in a WSL environment? If not, which one would be more feasible, or are there alternatives you would recommend for WSL?