diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index a43728e..400b418 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -6,7 +6,7 @@
 class confdroid_ssh::firewall::iptables (
 
 ) inherits confdroid_ssh::params {
-  if $ssh_use_firewall {
+  if $ssh_use_firewall == true {
     firewall { "${ssh_fw_order}${ssh_fw_port} allow SSH on port ${ssh_fw_port}":
       ensure => 'present',
       proto  => 'tcp',
@@ -14,5 +14,14 @@ class confdroid_ssh::firewall::iptables (
       dport  => $ssh_fw_port,
       jump   => 'accept',
     }
+  else {
+    firewall { "${ssh_fw_order}${ssh_fw_port} remove SSH on port ${ssh_fw_port}":
+      ensure => 'absent',
+      proto  => 'tcp',
+      source => $ssh_source_range,
+      dport  => $ssh_fw_port,
+      jump   => 'accept',
+      }
+    }
   }
 }