diff --git a/configure_ufw.yml b/configure_ufw.yml
index 2d00d2fdc477566a3c09af6ff10fab943fd2f36e..f74ede57ea2e4c3cc22ddb1a964f5af72a9d11aa 100644
--- a/configure_ufw.yml
+++ b/configure_ufw.yml
@@ -3,43 +3,32 @@
   become: true
   hosts: all
   tasks:
-    # setup ufw ssh rules
-    - name: allow ssh access from uni-hamburg ip range
+    # setup ufw ssh exception/limiting rules
+    - name: allow ssh access from specified ip ranges
       ufw:
         rule: allow
         app: OpenSSH
-        from_ip: 134.100.0.0/16
-
-    - name: allow ssh access from internal ip range a)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 192.168.0.0/16
-
-    - name: allow ssh access from internal ip range b)
-      ufw:
-        rule: allow
-        app: OpenSSH
-        from_ip: 172.16.0.0/12
+        from_ip: "{{ item }}"
+      with_items: "{{ ufw_ssh_allowed_from }}"
 
     - name: rate limiting ssh access
       ufw:
         rule: limit
         app: OpenSSH
 
-    # setup nginx web server rule
+    # setup nginx web server exception rule
     - name: allow access of nginx webserver from everywhere
       ufw:
         rule: allow
         name: Nginx Full
 
-    # set default rules
+    # set default deny rules
     - name: deny any other incoming traffic by default
       ufw:
         state: enabled
         default: deny
         direction: incoming
-
+    # set default allow rule for outgoing, FIXME: do it more granulary (only http/https)
     - name: allow any outgoing traffic by default
       ufw:
         state: enabled
diff --git a/group_vars/otree_servers.yml.example b/group_vars/otree_servers.yml.example
index 225b0ca69810ccceadc80e3a102b951bdc03b480..be821da2c81082ceae7306d7eb6be96eac97b9f9 100644
--- a/group_vars/otree_servers.yml.example
+++ b/group_vars/otree_servers.yml.example
@@ -53,3 +53,6 @@ otree_users:
 ssl_certificate_path: "/etc/ssl/certs/{{ otree_domain }}.crt"
 ssl_certificate_key_path: "/etc/ssl/private/{{ otree_domain }}.key"
 
+ufw_ssh_allowed_from:
+  - "192.168.0.0/16"
+  - "172.16.0.0/12"