Clash blocked by Windows firewall

Posted on 2025-03-20 In technology

pre

Today when I tried git pull command, encountered an Error

nc: connect to 192.168.100.112 port 7890 (tcp) failed: Connection timed out
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

First, I should state my config, I config git with ssh Connection after all github has forbidden users connecting with Http.
Due to network situation, I have to use a proxy to reach github.com, so I config it through Clash for Windows.
192.168.100.112 is the Windows host ip.7890 is the proxy port used by Clash.

Host github.com
 Hostname ssh.github.com
 Port 443
 ProxyCommand nc -v -x 192.168.100.112:7890 %h %p

It works well before today.
Actually, I get some errors like this occasionally, so I didn’t take it as a big deal. I am sure it would be solved after some casual tries.

TroubleShooting

Time Sychronization Error

Recently the error I found most is the Clash proxy Error due to the Windows system clock sychronization Error, I have always deal with it by manually synchronizing it.
but it didn’t work this time.

Ssh port error

Ssh use port 22 by default, I found this could not work with some proxy server, and the one I used is just the case. So you can see I set the Port 443 to avoid it. So I double check the Port Setting, nothing wrong.

It didn’t go through the Clash

So what’s happening here? After those tries I realize I can’t just make some casual try, but I have to analyze the situation.
Then I found the traffic didn’t got through the Clash at the first place, because the log was empty.

try Curl

for eliminate misleading errors stemming from SSH itself, I also tried curl with setting proxy by the environment vriable, proxy also can’t reach the Clash either.

1	alias proxyGo='export https_proxy=$host_ip:7890 http_proxy=http://$host_ip:7890 all_proxy=socks5://$host_ip:7890'

WSL networking

At this time I have to consider if it’s the the WSL problem. WSL use the NAT mode by default, and mirrored mode need a Win11 system support. Is there a chance a recent System Update change it to the mirror mode?
Again I read the Official guides:

Accessing network applications with WSL.

And found it didn’t change at all, but maybe the guide just didn’t keep up with Update in time? So I try the mirrored mode, and found no luck on the localhost ip. Set it to the mirrored mode manually also get An Error shows this version doesn’t supoort a mirrored mode.

Windows Firewall

I am not involved with any firewall setting changes from the very begining I use a Clahs for Windows, and since it works well before, this is the last thing I would like to look into.
But guess what, finally I hit the jackpot.
In the rules I found Clash has some Disallow state, and turn all on, proxy now works like a charm.
Considering that, it’s easy to understand why visiting websites using Clash proxy work well, as browser and Clash are in the same localhost network, and are not affected by firewall rules.
While proxy request from WSL was was treated by Windows as an incoming traffic rather than a local one.

Appendix: Config File

I still don’t know why the firewall setting changes, maybe the system or anti-virus software popped a prompt, and I click the “disallow” button accidently.
But I do know, all the system or software setting should be the form of config files or provide a way to produce a similar file so that people can easily check if it’s changed since last time, and I think it would help a lot when we want to know why things behave or work differently.