diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index e8b46271..c4f2af41 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -534,6 +534,7 @@ eumd-test-1.komreg.net:
       dest_host: eupub-test-1.komreg.net
       version: 1.1.5-eidas
    md_repo_client:
+   eid::ssh_rules:
 
 natpub-1.komreg.net:
    autoupdate:
diff --git a/global/overlay/etc/puppet/modules/eid/functions/dnsLookup.rb b/global/overlay/etc/puppet/modules/eid/functions/dnsLookup.rb
new file mode 100644
index 00000000..032002b7
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/functions/dnsLookup.rb
@@ -0,0 +1,14 @@
+# dnsLookup.rb
+# does a DNS lookup and returns an array of strings of the results
+# from http://geek.jasonhancock.com/2011/04/20/doing-a-dns-lookup-inside-your-puppet-manifest/
+
+require 'resolv'
+
+module Eid::Functions
+    newfunction(:dnsLookup, :type => :rvalue) do |args|
+        result = []
+        result = Resolv.new.getaddresses(args[0])
+        debug("resolving #{args[0]} to #{result}")
+        return result
+    end
+end
diff --git a/global/overlay/etc/puppet/modules/eid/manifests/ssh_rules.pp b/global/overlay/etc/puppet/modules/eid/manifests/ssh_rules.pp
new file mode 100644
index 00000000..acf9c356
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/eid/manifests/ssh_rules.pp
@@ -0,0 +1,19 @@
+class eid::ssh_rules{
+
+  $servers = ['nat', 'eu']
+  $servers.each |$servers|{
+    if $::fqdn = ${server}md-test-1.komreg.net {
+      sunet::misc::ufw_allow { 'allow_${key}_ssh_1':
+        from =>  dnsLookup(${server}pub-test-1.komreg.net)
+        port => '22',
+      }
+    }
+    if $::fqdn = ${server}md-test-2.komreg.net {
+      sunet::misc::ufw_allow { 'allow_${key}_ssh_1':
+        from =>  dnsLookup(${server}pub-test-2.komreg.net)
+        port => '22',
+      }
+    }
+  }
+
+}