Jan 14, 2013

Ubuntu Server 12.04: How does one configure the firewall during installation?


I’m following instructions to automate the installation of Ubuntu Server 12.04 using kickstart. It works well for automatically partitioning the drives, selecting languages etc. However, it doesn’t configure the firewall. It is a known issue.

Running without a firewall isn’t a good idea. How does one configure the UFW firewall during installation to prevent unauthorized access to the server?

The kickstart file I have looks as follows (with only the username changed)

#System language
lang en_US
#Language modules to install
langsupport en_US
#System keyboard
keyboard us
#System mouse
#System timezone
timezone America/Los_Angeles
#Root password
rootpw --disabled
#Initial user
user johnd --fullname "John Doe" --iscrypted --password <omitted>
#Reboot after installation
#Use text mode install
#Install OS instead of upgrade
#Use CDROM installation media
#System bootloader configuration
bootloader --location=mbr 
#Clear the Master Boot Record
zerombr yes
#Partition clearing information
clearpart --all --initlabel 
#Disk partitioning information
part / --fstype ext4 --size 1 --grow 
part swap --recommended 
#System authorization infomation
auth  --useshadow  --enablemd5 
#Network information
network --bootproto=dhcp --device=eth0
#Firewall configuration
firewall --enabled --trust=eth0 --ssh 
#Do not configure the X Window System


I added the following the file above:

mkdir /usr/sample
ufw enable
ufw allow 22

After the installation, the directory /usr/sample exists, but the firewall is still disabled and access to port 22 isn’t allowed.


You may use the %post (post-installation) part of the kickstart file to run the firewall rules, or even create a basic firewall script.

I found, on this site an usage example of post-installation configuration. And here you have another explanation of how to achieve what you want.

EDIT: %post suggestion:

mkdir /usr/sample
sed -i 's/^\(ENABLE=\s*\).*$/\1yes/' /etc/ufw/ufw.conf
sed -i 's/^COMMIT/-A ufw-before-input -p tcp --dport 22 -j ACCEPT\n\nCOMMIT/' /etc/ufw/before.rules
ufw status verbose > /usr/sample/ufw_out.log

Try and see if this will work. Maybe a little to over, but if this works, may be a nice workaround.

Answered by fboaventura

Related posts:

  1. How to setup simple firewall on Ubuntu?
  2. How can I configure unattended installation of Ubuntu?
  3. Firewall configuration on Ubuntu KVM host
  4. What is the best way to configure windows firewall to open up sql server to lan computers
  5. Upgrading to ufw on Ubuntu 9.04

Leave a comment