diff --git a/common/terraform/firewall.tf b/common/terraform/firewall.tf
index 1a3262ca3598e5abb466d0914efcd3af67ccd130..b35d242b343a832c133c20cb70389e9d3a02cb58 100644
--- a/common/terraform/firewall.tf
+++ b/common/terraform/firewall.tf
@@ -14,81 +14,89 @@ resource "openstack_networking_secgroup_v2" "http" {
 }
 
 resource "openstack_networking_secgroup_rule_v2" "ping4" {
+  for_each          = var.security_public_cidr4
   direction         = "ingress"
   ethertype         = "IPv4"
   port_range_min    = 8
   port_range_max    = 0
   protocol          = "icmp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.ping.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "ping6" {
+  for_each          = var.security_public_cidr6
   direction         = "ingress"
   ethertype         = "IPv6"
   port_range_min    = 128
   port_range_max    = 0
   protocol          = "icmp"  # icmp / ipv6-icmp
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.ping.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "ssh4" {
+  for_each          = var.security_public_cidr4
   direction         = "ingress"
   ethertype         = "IPv4"
   port_range_min    = 22
   port_range_max    = 22
   protocol          = "tcp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.ssh.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "ssh6" {
+  for_each          = var.security_public_cidr6
   direction         = "ingress"
   ethertype         = "IPv6"
   port_range_min    = 22
   port_range_max    = 22
   protocol          = "tcp"
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.ssh.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "http4" {
+  for_each          = var.security_public_cidr4
   direction         = "ingress"
   ethertype         = "IPv4"
   port_range_min    = 80
   port_range_max    = 80
   protocol          = "tcp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.http.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "http6" {
+  for_each          = var.security_public_cidr6
   direction         = "ingress"
   ethertype         = "IPv6"
   port_range_min    = 80
   port_range_max    = 80
   protocol          = "tcp"
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.http.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "https4" {
+  for_each          = var.security_public_cidr4
   direction         = "ingress"
   ethertype         = "IPv4"
   port_range_min    = 443
   port_range_max    = 443
   protocol          = "tcp"
-  remote_ip_prefix  = "0.0.0.0/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.http.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "https6" {
+  for_each          = var.security_public_cidr6
   direction         = "ingress"
   ethertype         = "IPv6"
   port_range_min    = 443
   port_range_max    = 443
   protocol          = "tcp"
-  remote_ip_prefix  = "::/0"
+  remote_ip_prefix  = each.key
   security_group_id = openstack_networking_secgroup_v2.http.id
 }
diff --git a/common/terraform/vars.tf b/common/terraform/vars.tf
index 25f0b320f39f92bf9f58bfb1f2ec2a3b088f22a9..54d05b24447c7ee6182869b195683f2d19a0e32e 100644
--- a/common/terraform/vars.tf
+++ b/common/terraform/vars.tf
@@ -62,3 +62,19 @@ variable "squid_volume_size" {
   type        = number
   description = "Size of volume for squid proxy, CVMFS cache (GB)"
 }
+
+variable "security_public_cidr4" {
+  type = set(string)
+  description = "Enabled IPv4 ranges"
+  default = [
+    "0.0.0.0/0",
+  ]
+}
+
+variable "security_public_cidr6" {
+  type = set(string)
+  description = "Enabled IPv6 ranges"
+  default = [
+    "::/0",
+  ]
+}