diff --git a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
index 3d2031429c..73c4301476 100644
--- a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
@@ -29,13 +29,15 @@ fas_client_groups: sysadmin-dba,sysadmin-noc,sysadmin-veteran
 # fas3-01.stg and openshift
 #
 custom_rules:
-- '-A INPUT -p tcp -m tcp -s 10.5.128.129 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.137 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.82 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.104 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.105 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.106 --dport 5432 -j ACCEPT'
-- '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.129 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.137 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.82 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.104 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.105 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.106 --dport 5432 -j ACCEPT'
+# - '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 5432 -j ACCEPT'
+# TODO: lock it down more
+- '-A INPUT -p tcp -m tcp -s 10.3.166.0/24 --dport 5432 -j ACCEPT'
 
 #
 # Large updates pushes cause lots of db threads doing the tag moves, so up this from default.