diff --git a/libraries/sys_helpers_firewall.rb b/libraries/sys_helpers_firewall.rb
index 4f49519ca217332e668ba499fffd142c477f5f99..f37f5d7aceaa4d9b8bad4f403e281bc8a85df256 100644
--- a/libraries/sys_helpers_firewall.rb
+++ b/libraries/sys_helpers_firewall.rb
@@ -42,6 +42,19 @@ module Sys
         end
       end
 
+      def build_set_of_ips(ips)
+        set_of_ips = Array(ips).map { |ip| IPAddr.new(ip) }
+
+        # Only works on buster and newer. In older debian-versions
+        # there is no prefix-method for IPv4-addresses.
+        addrs = set_of_ips.map { |ip| "#{ip}/#{ip.prefix}" }
+        if addrs.length == 1
+          addrs.first
+        else
+          "{#{addrs.join(', ')}}"
+        end
+      end
+
       def port_to_s(p)
         if p.is_a?(String)
           p
@@ -116,19 +129,14 @@ module Sys
         firewall_rule << "oif #{rule_resource.dest_interface} " if rule_resource.dest_interface
 
         if rule_resource.source
-          source_ips = Array(rule_resource.source).map { |ip| IPAddr.new(ip) }
-          source_ips.delete(IPAddr.new('0.0.0.0/0'))
-          source_ips.delete(IPAddr.new('::/128'))
-          # Only works on buster and newer. In older debian-versions
-          # there is no prefix-method for IPv4-addresses.
-          addrs = source_ips.map { |ip| "#{ip}/#{ip.prefix}" }
-          if addrs.length == 1
-            firewall_rule << "#{ip_family} saddr #{addrs.first} "
-          elsif addrs.length > 1
-            firewall_rule << "#{ip_family} saddr {#{addrs.join(',')}} "
-          end
+          source_set = build_set_of_ips(rule_resource.source)
+          firewall_rule << "#{ip_family} saddr #{source_set} "
+        end
+
+        if rule_resource.destination
+          destination_set = build_set_of_ips(rule_resource.destination)
+          firewall_rule << "#{ip_family} daddr #{destination_set} "
         end
-        firewall_rule << "#{ip_family} daddr #{rule_resource.destination} " if rule_resource.destination
 
         case rule_resource.protocol
         when :icmp
diff --git a/metadata.rb b/metadata.rb
index ff1020d8163c8ae3642b7e8fcec5082fff6caf29..40dcda17d679175d706bb50b5ce14bad21f92d38 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -16,4 +16,4 @@ supports         'debian'
 depends          'line', '< 1.0'
 depends          'chef-vault'
 
-version          '1.64.1'
+version          '1.64.2'
diff --git a/recipes/firewall.rb b/recipes/firewall.rb
index aa4706cab68fcefa66f517734303a4bd69527a60..cbc9b0982027369b1677ef75d0c0b7fe446bb6e2 100644
--- a/recipes/firewall.rb
+++ b/recipes/firewall.rb
@@ -45,7 +45,6 @@ end
 
 firewall_rule 'allow world to ssh' do
   port 22
-  source '0.0.0.0/0'
   only_if { node['sys']['firewall']['allow_ssh'] }
 end
 
diff --git a/test/fixtures/cookbooks/firewall-test/recipes/default.rb b/test/fixtures/cookbooks/firewall-test/recipes/default.rb
index 3777935e5447bf33b7f22fbc5f125541df2e28b8..7640940d694d13cf5d1bf0444d195bb598a9731c 100644
--- a/test/fixtures/cookbooks/firewall-test/recipes/default.rb
+++ b/test/fixtures/cookbooks/firewall-test/recipes/default.rb
@@ -68,6 +68,17 @@ firewall_rule 'block ip-range' do
   command :drop
 end
 
+firewall_rule "block single destination ip" do
+  destination '192.168.99.99'
+  position 49
+  command :reject
+end
+
+firewall_rule 'block destination ip-range' do
+  destination ['192.168.99.99', '192.168.100.100']
+  command :drop
+end
+
 firewall_rule 'ipv6-source' do
   port 80
   family :ip6
diff --git a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb
index 75f877356df111e64dde8fbceff808e626b3fced..c4aed00a4a18957973abdfa04a43c0438c023ef5 100644
--- a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb
+++ b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb
@@ -30,13 +30,14 @@ expected_rules = [
   /\s+tcp dport 7788 accept.*/,
   /\s+ip saddr 192.168.99.99 reject.*/,
   /\s+ip saddr { 192.168.99.99, 192.168.100.100 } drop.*/,
+  /\s+ip daddr 192.168.99.99 reject.*/,
+  /\s+ip daddr { 192.168.99.99, 192.168.100.100 } drop.*/,
   /\s+iif "lo" accept comment "allow loopback"/,
   /\s+icmp type echo-request accept.*$/,
   /\s+tcp dport 22 accept.*$/,
   /\s+udp dport 60000-61000 accept.*$/,
   /\s+ct state established,related accept.*$/,
   /\s+icmpv6 type { echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept.*$/,
-  /\s+tcp dport 22 accept.*$/,
   /\s+tcp dport { 2200, 2222 } accept.*$/,
   /\s+tcp dport 1234 drop.*$/,
   /\s+tcp dport 1235 reject.*$/,