diff --git a/hosts/fra1-b/configuration.nix b/hosts/fra1-b/configuration.nix
index c149438..f07efc3 100644
--- a/hosts/fra1-b/configuration.nix
+++ b/hosts/fra1-b/configuration.nix
@@ -75,6 +75,7 @@ in
       ssh8022.server = {
         enable = true;
         keyfile = config.age.secrets.ssh8022-server.path;
+        openGlobalFirewall = false;
       };
 
       remote-builder.server = {
diff --git a/modules/services/ssh8022/default.nix b/modules/services/ssh8022/default.nix
index e28fa0a..7cf16a1 100644
--- a/modules/services/ssh8022/default.nix
+++ b/modules/services/ssh8022/default.nix
@@ -14,6 +14,10 @@
     server = {
       enable = lib.mkEnableOption "Enable ssh8022 server";
       keyfile = lib.mkOption { type = str; };
+      openGlobalFirewall = lib.mkOption {
+        type = bool;
+        default = true;
+      };
     };
   };
 
@@ -35,7 +39,7 @@
       in
       lib.mkIf cfg.enable {
 
-        mj.services.friendlyport.ports = [
+        mj.services.friendlyport.ports = lib.mkIf (!cfg.openGlobalFirewall) [
           {
             subnets = [ myData.subnets.tailscale.cidr ];
             tcp = [ 22 ];
@@ -43,7 +47,7 @@
         ];
 
         services = {
-          openssh.openFirewall = false;
+          openssh.openFirewall = cfg.openGlobalFirewall;
 
           spiped = {
             enable = true;