From 9729f09388b78d7e4e10ffe5158d7a7111be7ea3 Mon Sep 17 00:00:00 2001
From: 12ww1160 <12ww1160@confdroid.com>
Date: Sun, 5 Apr 2026 15:26:08 +0200
Subject: [PATCH] OP#561 add source range

---
 manifests/firewall/iptables.pp | 3 ++-
 manifests/params.pp            | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/manifests/firewall/iptables.pp b/manifests/firewall/iptables.pp
index 83571b5..a43728e 100644
--- a/manifests/firewall/iptables.pp
+++ b/manifests/firewall/iptables.pp
@@ -9,9 +9,10 @@ class confdroid_ssh::firewall::iptables (
   if $ssh_use_firewall {
     firewall { "${ssh_fw_order}${ssh_fw_port} allow SSH on port ${ssh_fw_port}":
       ensure => 'present',
-      jump   => 'accept',
       proto  => 'tcp',
+      source => $ssh_source_range,
       dport  => $ssh_fw_port,
+      jump   => 'accept',
     }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 2eb098a..e0b3ffb 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -7,6 +7,7 @@
 # @param [Boolean] ssh_use_firewall whether to manage firewall settings
 # @param [String] ssh_fw_port port to use for SSHD and in fw
 # @param [String] ssh_fw_order order of firewall rule
+# @param [String] ssh_source_range source range for firewall rule
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -17,6 +18,7 @@ class confdroid_ssh::params (
   Boolean $ssh_use_firewall  = true,
   String $ssh_fw_port        = '22',
   String $ssh_fw_order       = '50',
+  String $ssh_source_range   = '0.0.0.0/0',
 
 ) {
 # default facts