diff --git a/common/terraform/firewall.tf b/common/terraform/firewall.tf
index b35d242b343a832c133c20cb70389e9d3a02cb58..7e332d05e9d3a2fd80fe4a4542029a70e7e54d26 100644
--- a/common/terraform/firewall.tf
+++ b/common/terraform/firewall.tf
@@ -13,32 +13,24 @@ resource "openstack_networking_secgroup_v2" "http" {
   description = "http/https"
 }
 
-resource "openstack_networking_secgroup_rule_v2" "ping4" {
-  for_each          = var.security_public_cidr4
+resource "openstack_networking_secgroup_rule_v2" "ping" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 8
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
+  port_range_min    = strcontains(each.key, ":") ? 128 : 8
   port_range_max    = 0
+  # protocol          = strcontains(each.key, ":") ? "ipv6-icmp" : "icmp"
   protocol          = "icmp"
   remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.ping.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "ping6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "ssh" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv6"
-  port_range_min    = 128
-  port_range_max    = 0
-  protocol          = "icmp"  # icmp / ipv6-icmp
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.ping.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "ssh4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
   port_range_min    = 22
   port_range_max    = 22
   protocol          = "tcp"
@@ -46,32 +38,11 @@ resource "openstack_networking_secgroup_rule_v2" "ssh4" {
   security_group_id = openstack_networking_secgroup_v2.ssh.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "ssh6" {
-  for_each          = var.security_public_cidr6
-  direction         = "ingress"
-  ethertype         = "IPv6"
-  port_range_min    = 22
-  port_range_max    = 22
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.ssh.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 80
-  port_range_max    = 80
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "http6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "http" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv6"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
   port_range_min    = 80
   port_range_max    = 80
   protocol          = "tcp"
@@ -79,21 +50,11 @@ resource "openstack_networking_secgroup_rule_v2" "http6" {
   security_group_id = openstack_networking_secgroup_v2.http.id
 }
 
-resource "openstack_networking_secgroup_rule_v2" "https4" {
-  for_each          = var.security_public_cidr4
-  direction         = "ingress"
-  ethertype         = "IPv4"
-  port_range_min    = 443
-  port_range_max    = 443
-  protocol          = "tcp"
-  remote_ip_prefix  = each.key
-  security_group_id = openstack_networking_secgroup_v2.http.id
-}
-
-resource "openstack_networking_secgroup_rule_v2" "https6" {
-  for_each          = var.security_public_cidr6
+resource "openstack_networking_secgroup_rule_v2" "https" {
+  for_each          = var.security_public_cidr
+  description       = each.value
   direction         = "ingress"
-  ethertype         = "IPv6"
+  ethertype         = strcontains(each.key, ":") ? "IPv6" : "IPv4"
   port_range_min    = 443
   port_range_max    = 443
   protocol          = "tcp"
diff --git a/common/terraform/vars.tf b/common/terraform/vars.tf
index 54d05b24447c7ee6182869b195683f2d19a0e32e..4c83a79b52a2f594159b994960f760dd88f5a876 100644
--- a/common/terraform/vars.tf
+++ b/common/terraform/vars.tf
@@ -63,18 +63,11 @@ variable "squid_volume_size" {
   description = "Size of volume for squid proxy, CVMFS cache (GB)"
 }
 
-variable "security_public_cidr4" {
-  type = set(string)
-  description = "Enabled IPv4 ranges"
-  default = [
-    "0.0.0.0/0",
-  ]
-}
-
-variable "security_public_cidr6" {
-  type = set(string)
-  description = "Enabled IPv6 ranges"
-  default = [
-    "::/0",
-  ]
+variable "security_public_cidr" {
+  type = map(string)
+  description = "Enabled IP ranges"
+  default = {
+    "0.0.0.0/0": "Public access",
+    "::/0":      "Public access",
+  }
 }