diff --git a/inventory/group_vars/os_proxies b/inventory/group_vars/os_proxies
index 4221d5cdfd..c75d4ce5b3 100644
--- a/inventory/group_vars/os_proxies
+++ b/inventory/group_vars/os_proxies
@@ -13,14 +13,12 @@ tcp_ports: [
     6443,
     # For haproxy status
     8080,
-    # For machinectl api
-    22623,
-    # 9941 is closed generally, is for the inbound fedmsg and is covered in
-    # custom_rules
 ]
 
 custom_rules: [
     # Needed for keepalived
     '-A INPUT -d 224.0.0.0/8 -j ACCEPT',
     '-A INPUT -p vrrp -j ACCEPT',
+    # machinectl api
+    '-A INPUT -p tcp --dport 22623 --src 38.145.48.0/27 -j ACCEPT',
 ]