{"description": "By default, <tt>iptables</tt>\nblocks access to the ports used by the web server.\nTo configure <tt>iptables</tt> to allow port 80 traffic, one must edit\n<tt>/etc/sysconfig/iptables</tt> and\n<tt>/etc/sysconfig/ip6tables</tt> (if IPv6 is in use).\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:\n<pre>-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT</pre>\nTo configure <tt>iptables</tt> to allow port 443 traffic, one must edit\n<tt>/etc/sysconfig/iptables</tt> and\n<tt>/etc/sysconfig/ip6tables</tt> (if IPv6 is in use).\nAdd the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:\n<pre>-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT</pre>", "rationale": "Failure to properly manage and restricts ports, protocols, and services (PPS)\ncan result in compromise of enclave boundary protections and/or functionality\nof the AIS.", "severity": "low", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is not", "ocil": "Review the web site to determine if HTTP and HTTPs are used in accordance with\nwell known ports (e.g., 80 and 443) or over alternate ports that are explicitly registered\nand approved for use by the organization's network security policy.\n\nTo configure <code>firewalld</code> to allow <code>http</code> access, run the following command(s):\n<pre>firewall-cmd --permanent --add-service=http</pre>\nThen run the following command to load the newly created rule(s):\n<pre>firewall-cmd --reload</pre>\n\nTo configure <code>firewalld</code> to allow <code>https</code> access, run the following command(s):\n<pre>firewall-cmd --permanent --add-service=https</pre>\nThen run the following command to load the newly created rule(s):\n<pre>firewall-cmd --reload</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure firewall to Allow Access to the Web Server", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_firewall/rule.yml", "template": null}