diff --git a/config/crds/firewall.metal-stack.io_firewalldeployments.yaml b/config/crds/firewall.metal-stack.io_firewalldeployments.yaml
index 584cf0f..1f06b7a 100644
--- a/config/crds/firewall.metal-stack.io_firewalldeployments.yaml
+++ b/config/crds/firewall.metal-stack.io_firewalldeployments.yaml
@@ -99,6 +99,14 @@ spec:
                   spec:
                     description: Spec contains the firewall specification.
                     properties:
+                      allowedExternalNetworks:
+                        description: AllowedExternalNetworks defines which networks
+                          are allowed to connect to, and allow incoming traffic from.
+                          By default, defined by an empty slice, all external networks
+                          are allowed. The node network is always allowed.
+                        items:
+                          type: string
+                        type: array
                       controllerURL:
                         description: ControllerURL points to the downloadable binary
                           artifact of the firewall controller.
diff --git a/config/crds/firewall.metal-stack.io_firewalls.yaml b/config/crds/firewall.metal-stack.io_firewalls.yaml
index 3c9cd32..4470fb8 100644
--- a/config/crds/firewall.metal-stack.io_firewalls.yaml
+++ b/config/crds/firewall.metal-stack.io_firewalls.yaml
@@ -66,6 +66,14 @@ spec:
           spec:
             description: Spec contains the firewall specification.
             properties:
+              allowedExternalNetworks:
+                description: AllowedExternalNetworks defines which networks are allowed
+                  to connect to, and allow incoming traffic from. By default, defined
+                  by an empty slice, all external networks are allowed. The node network
+                  is always allowed.
+                items:
+                  type: string
+                type: array
               controllerURL:
                 description: ControllerURL points to the downloadable binary artifact
                   of the firewall controller.
diff --git a/config/crds/firewall.metal-stack.io_firewallsets.yaml b/config/crds/firewall.metal-stack.io_firewallsets.yaml
index bb817d4..25c4a3d 100644
--- a/config/crds/firewall.metal-stack.io_firewallsets.yaml
+++ b/config/crds/firewall.metal-stack.io_firewallsets.yaml
@@ -102,6 +102,14 @@ spec:
                   spec:
                     description: Spec contains the firewall specification.
                     properties:
+                      allowedExternalNetworks:
+                        description: AllowedExternalNetworks defines which networks
+                          are allowed to connect to, and allow incoming traffic from.
+                          By default, defined by an empty slice, all external networks
+                          are allowed. The node network is always allowed.
+                        items:
+                          type: string
+                        type: array
                       controllerURL:
                         description: ControllerURL points to the downloadable binary
                           artifact of the firewall controller.