diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index 0e5c5fc..27e329c 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -12,10 +12,12 @@ class confdroid_gitea::firewall::iptables (
       dport => $ga_http_port,
       jump  => 'accept',
     }
-    firewall { "${ga_order_prefix}${ga_ssh_port} allow gitea ssh port ${ga_ssh_port}":
-      proto => 'tcp',
-      dport => $ga_ssh_port,
-      jump  => 'accept',
+    if $ga_start_ssh != false {
+      firewall { "${ga_order_prefix}${ga_ssh_port} allow gitea ssh port ${ga_ssh_port}":
+        proto => 'tcp',
+        dport => $ga_ssh_port,
+        jump  => 'accept',
+      }
     }
   }
 }