According to the documentation (https://docs.software-univention.de/developer-reference-4.4.html#misc:nacl) we can set an address parameter: ucr set security/packetfilter/tcp/4545/192.168.90.99=ACCEPT Create security/packetfilter/tcp/4545/192.168.90.99 File: /etc/security/packetfilter.d/10_univention-firewall_start.sh File: /etc/security/packetfilter.d/80_univention-firewall_policy.sh This address appears to be used always as destination address with the parameter "-d": root@lenaedu:/etc/security/packetfilter.d# tail -2 10_univention-firewall_start.sh iptables --wait -A INPUT -p "tcp" -d 192.168.90.99 --dport 4545 -j ACCEPT This makes partially sense in case the UCS server has multiple IPs and the rules should take place only on specific IP address. But what can not be done here is to limit access FROM a specific host or network. This should be possible, too. At least the documentation should state it clear about the destination only address.
*** This bug has been marked as a duplicate of bug 25632 ***