diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml
index 2c2f3e8967..6981029b2f 100644
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@@ -55,3 +55,4 @@ parameter_defaults:
   NeutronPublicInterface: eth1
   MistralExecutionFieldSizeLimit: 16384
   NeutronServicePlugins: ['router']
+  SshFirewallAllowAll: true
diff --git a/puppet/services/sshd.yaml b/puppet/services/sshd.yaml
index 0b8a73b669..3c38546e02 100644
--- a/puppet/services/sshd.yaml
+++ b/puppet/services/sshd.yaml
@@ -62,6 +62,10 @@ parameters:
       Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'
     description: Mapping of sshd_config values
     type: json
+  SshFirewallAllowAll:
+    default: false
+    description: Set this to true to open up ssh access from all sources.
+    type: boolean
 
 outputs:
   role_data:
@@ -69,8 +73,17 @@ outputs:
     value:
       service_name: sshd
       config_settings:
-        tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
-        tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
-        tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+        map_merge:
+          - tripleo::profile::base::sshd::bannertext: {get_param: BannerText}
+            tripleo::profile::base::sshd::motd: {get_param: MessageOfTheDay}
+            tripleo::profile::base::sshd::options: {get_param: SshServerOptions}
+          - if:
+            - {get_param: SshFirewallAllowAll}
+            - tripleo::sshd::firewall_rules:
+                '003 accept ssh from all':
+                  proto: 'tcp'
+                  dport: 22
+            - null
+
       step_config: |
         include ::tripleo::profile::base::sshd