diff --git a/roles/web_server/files/ferm_http.conf b/roles/web_server/files/ferm_http.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ebc0604e0236269686b457cabd30fa30c6edfee9
--- /dev/null
+++ b/roles/web_server/files/ferm_http.conf
@@ -0,0 +1,8 @@
+table filter {
+    chain INPUT {
+        # HTTP
+        proto tcp dport 80 ACCEPT;
+        # HTTPS
+        proto tcp dport 443 ACCEPT;
+    }
+}