diff --git a/deployment/sshd/sshd-baremetal-puppet.yaml b/deployment/sshd/sshd-baremetal-puppet.yaml
index 0d7e1a058a..d4a06ae9a3 100644
--- a/deployment/sshd/sshd-baremetal-puppet.yaml
+++ b/deployment/sshd/sshd-baremetal-puppet.yaml
@@ -65,6 +65,10 @@ parameters:
     default: 'no'
     description: Whether or not disable password authentication
     type: string
+  SshFirewallAllowAll:
+    default: false
+    description: Set this to true to open up ssh access from all sources.
+    type: boolean
 
 outputs:
   role_data:
@@ -72,9 +76,18 @@ outputs:
     value:
       service_name: sshd
       config_settings:
-        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
-        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
-        tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
+        map_merge:
+          - tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+            tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+            tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+            tripleo::profile::base::sshd::password_authentication: {get_param: PasswordAuthentication}
+          - if:
+            - {get_param: SshFirewallAllowAll}
+            - tripleo::sshd::firewall_rules:
+                '003 accept ssh from all':
+                  proto: 'tcp'
+                  dport: 22
+            - null
+
       step_config: |
         include ::tripleo::profile::base::sshd
diff --git a/environments/standalone/standalone-tripleo.yaml b/environments/standalone/standalone-tripleo.yaml
index f1712eb1fa..8b32d4b32e 100644
--- a/environments/standalone/standalone-tripleo.yaml
+++ b/environments/standalone/standalone-tripleo.yaml
@@ -44,6 +44,10 @@ parameter_defaults:
   # Type: string
   SoftwareConfigTransport: POLL_SERVER_HEAT
 
+  # Set this to true to open up ssh access from all sources.
+  # Type: boolean
+  SshFirewallAllowAll: True
+
   # Heat action on performed top-level stack.  Note StackUpdateType is set to UPGRADE when a major-version upgrade is in progress.
   # Mandatory. This parameter must be set by the user.
   # Type: string
diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 654aab5e55..8cae712542 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -156,3 +156,4 @@ parameter_defaults:
   # TODO(emilien) Remove when Keepalived 2.0.6 is out
   # https://bugs.launchpad.net/tripleo/+bug/1791238
   KeepalivedRestart: true
+  SshFirewallAllowAll: true
diff --git a/sample-env-generator/standalone.yaml b/sample-env-generator/standalone.yaml
index 1a547c55a4..c3a1a8f4a1 100644
--- a/sample-env-generator/standalone.yaml
+++ b/sample-env-generator/standalone.yaml
@@ -34,6 +34,9 @@ environments:
       deployment/tripleo-packages/tripleo-packages-baremetal-puppet.yaml:
         parameters:
           - EnablePackageInstall
+      deployment/sshd/sshd-baremetal-puppet.yaml:
+        parameters:
+          - SshFirewallAllowAll
       # TODO(aschultz): hack to pull in this config transport, not sure it is
       # still neded.
       puppet/controller-role.yaml:
@@ -51,6 +54,7 @@ environments:
       SoftwareConfigTransport: POLL_SERVER_HEAT
       EnablePackageInstall: true
       SwiftReplicas: 1
+      SshFirewallAllowAll: true
     resource_registry:
       # this network config is assumed by the tripleo deploy command
       OS::TripleO::Network::Ports::RedisVipPort: ../../network/ports/noop.yaml