Core Rules for HTTP and HTTPS Traffic

Web servers primarily serve content over HTTP (port 80) and HTTPS (port 443), making these the most fundamental ports to configure correctly. However, simply opening these ports to all traffic is insufficient for proper security. Modern firewall configurations must balance accessibility with protection against various attack vectors.

For HTTP traffic on port 80, the basic rule allows incoming TCP connections from any source:

Allow TCP from any to web_server_ip port 80

However, this basic rule should be enhanced with additional controls. Rate limiting prevents any single source from overwhelming your server with requests. A more sophisticated rule might look like:

Allow TCP from any to web_server_ip port 80 limit rate 100/minute burst 200

HTTPS traffic requires similar consideration but with additional complexity due to the encrypted nature of the communication. The basic HTTPS rule:

Allow TCP from any to web_server_ip port 443

Should be supplemented with rules that consider SSL/TLS handshake patterns and certificate validation traffic. Some firewalls can inspect SSL/TLS handshakes without decrypting traffic, allowing you to block connections using weak ciphers or outdated protocols:

Allow TCP from any to web_server_ip port 443 where ssl_version >= TLS1.2